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(54) Secure processor with external memory using block chaining and block re-ordering 



(57) A scrambled data transmission is descrambled 
by communicating encrypted program information and 
authentication information between an external storage 
device and block buffers of a secure circuit. The pro- 
gram information is communicated in block chains to 
reduce the overhead of the authentication information. 
The program information is communicated a block at a 
time, or even a chain at a time, and stored temporarily in 
block buffers and a cache, then provided to a CPU to be 
processed. The blocks may be stored in the external 



storage device according to a scrambled address sig- 
nal, and the bytes, blocks, and chains may be further 
randomly re-ordered and communicated to the block 
buffers non-sequentially to obfuscate the processing 
sequence of the program information. Program informa- 
tion may be also be communicated from the secure cir- 
cuit to the external memory. The program information 
need not be encrypted but only authenticated for secu- 
rity. 
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Description 

BACKGROUND OF THE INVENTION 

[0001] The present invention relates to an apparatus s 
for efficiently and securely transferring blocks of pro- 
gram information between a secure circuit and an exter- 
nal storage device. . The program information is 
communicated in block chains for more robust encryp- 
tion, execution obfuscatibn, and to reduce authentica- io 
Won data overhead. 

[0002] In one embodiment, the program information is 
encrypted and optionally authenticated in cipher block 
chains. 

[0003] In another embodiment, the program irrforma- 15 
tion is authenticated and optionally encrypted in block 
chains. Block chains greatly reduce authentication data \ 
overhead. Address scrambling may be used for height-" 
ened security. 

[0004] Re-ordering of fields such as blocks or bytes 26 
within each chain, as well as among entire chains, may 
further be used to provide even more security. 
[0005] In another embodiment, blocks of program 
information are provided to the secure circuit to gener- 
ate a key. The key may be used to decrypt a data trans- 25 ' 
mission. 1 
[0006] The invention is particularly suitable for deter- 
ring the copying and reverse engineering of proprietary 
software^ algorithms, and for securing cryptographic 
applications such as the descrambling of pay television ' 30 
programs or the like. ' /" ' •. \ I \. 
[0007] .The following definitions are provided: 

Secure Circuit: " \\ - . 

[0008] A secure circuit is acryptogVaphic integrated 
circuit (IC) in which no one, not even the owner, has * ; 
access to the internal buses, registers, and other dr 1 ^ ' 1 
cuitry contained within the IC. The IC may hold sensitive '"; 
key, identification, and other data, but the secure circuit 1 40 
does not have to be the perimeter of an IC: It could be a ' 
Personal Computer (PC), for instance, in a network 
computer executing a program from a shared storage 
device accessed over a network. The network computer 
could be accessing a server for running applications 45 
real-time. Portions of the applications are communi- 
cated piece-meal to the network computers. The net- 
work can allow multiple computers to access the same 
application at the same time. With a PC, the owner 
might have access to the decrypted and/or authenti- so 
cated and/or re-ordered program information received. 
Moreover, a secure circuit may process unencrypted but 
authenticated data. 

Storage Device: 55 

[0009] A storage device is a discrete memory compo- 
nent, such as an IC, of various types. However, as in the 



PC example described above, the storage device could 
be a mass storage device such as a hard disk drive 
located locally or remotely. If remotely located, data 
could be communicated between that storage device 
and the secure circuit over an Ethernet-like network, or 
for example, according to the IEEE 1394 standard. 
Local access to the mass storage device, for example, 
may be over the PC's ISA, VESA, or PCI data bus or it 
could even be through a SCSI, serial, or parallel inter- 
face. The mass storage device may be accessed by 
other network computers, or secure circuits. The stor- 
age device could also be a Jazz(TM) drive, tape, CD- 
ROM, DVD, Personal Computer Memory Card Interface 
Adapter (PCMCIA), smart card, or any other type of 
mass storage device. 

[0010] It is possible, for instance, in the case of the 
network computer, that program information that is 
read-only is accessed over the network A locaj storage 
device, e.g., memory, that allows read/write capability 
may be used that is secure for external storage pur- 
poses. Therefore, the storage device may be any com- 
bination of device types. And, in the case of a networked 
storage device, the program information may be copied 
piece- meal to a faster local memory which may be syn- 
chronous dynamic membry. 

Program Information: 

[0011] Program information refers generically to any 
information that is used by the secure circuit in the exe- 
cution of a program. This may include instructions such 
as operational codes (op-codes) in machine code, or 
pseudo code or interpreted code, such as Java(tM). It 
may include look-up tables, stored keys, and various 
temporary data such as intermediate calculations and 
the state of the secure circuit. 

[0012] It may even include some or all of the initializa- 
tion vectors and keys used to encrypt/decrypt or ver- 
ify/authenticate the rest of the program information in 
block chains. Triis dan aliow the same vector or key 
information to be encrypted under different keys so that 
different secure circuits individually or as select groups 
may gain access to the same program information, and 
have derived or been delivered different keys. 
[0013] The information could include key information 
and data having to do with the nature of how the bytes 
of a block, blocks of a chain, and chains are stored in 
the storage device. This might include the order permu- 
tation information of the various fields of a chain or 
chain sequences describe in more detail later. 

H ash: 

[0014] Hash does not strictly denote a one-way func- 
tion. Although a strict one-way function is a possibility, 
the function may be reversible under a secret key, or a 
trap-door one-way function, or be a very simple function 
such as an XOR operation. 
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Data Transmission and Cryptographic Processing: 

[0015] Data transmission is used for text, messages, 
video, and audio signals of all types. These include but 
are not limited to text, messages, video, and audio from s 
broadcast and interactive television and radio, program 
guides, news services, and interactive message traffic . 
over communication channels. The scrambled .data . 
transmission may be sent various ways, e.g. via a . 
broadcast, satellite, cable, telephone, or other link, or io 
from a removable mass storage medium such as a-Dig? 
ital Video Disk, tape, Compact Disk (CD), floppy-disk, or « 
other secure circuit, and received by a descrambling... ... 

receiver, e.g., decoder such a set-top box, player or a , y , 
personal computer in a consumers home. 
[0016] The data transmission coy Id simply be a 
response to., a chajtenge. The challenged causes, the **..'. 
secure circuit to transform the challenge information 
with some type of cryptographic processing to creat? an , ... 
output that verif ies that the secure circuit indeed holds 20 [ 
certain secret or private. keys. \ . ... ; r v . 

[0017] Internal registers in the secure circuit may be ... ' 
incremented, or decremented, l^^e .values "may be 
computed along with the secret or private, keys to.calcu- -/ 
late the value to output. Such challenge and response 25 
techniques are typically used to authenticate the pres- , v . 
ence of valid secure circuit before a service is granted. 

Cryptographic Processing: — ..vr ( 

' 30 

■ • ' '- ■■•■.■*.- 

[0018], This is processing.performed by a secure ar r _ 
cuit which, typically results in the generation of.3.key :i " £ ' f; "^ 
The key may then be used for many things: scrambling V , r 
and descrambling a date transmission, identity verifiga- . r *| '.' 
tion by a client or host, etc. the key .does not' have, io'.^i^ t 
always be self contained within the secure drciiit.; For^.-,; 
example, it may be sent but of the secure ^ cir<^j|fqryer^ t * ri ,' ; 
if ication reasons. . . V| .. , (J ... * Vi ^* ; ,. r r<t 
[001 9] Various problems.^ ^7 ; c - 

now addressed.? ^ ^,- ;t /• $ . 

Problem: Various Proprietary' Algorithms can be Stolen 

[0020] Software painstakingly developed at great . 
expense may be trivially copied from external storage 45 
devices. The problem is exacerbated by open networks 
such as the Internet which can allow rapid and far flung, 
distribution of the pirated code. 

[0021 ] With the increasing speeds of general purpose 
processor chips, there is a trend to perform many so 
processing tasks that were once done in hardware in 
software. The software is communicated through the 
use of discrete memory components and/or storage 
devices including mass storage devices. This can allow 
for quick reconfiguration of the processing system for ss 
different applications by simply executing different soft- 
ware. But that trend is hampered by the fact that the 
software can be easily copied, disassembled, reversed- 



engineered, and subsequently distributed thereby 
depriving the developer and/or inventor of the benefit of 
this intellectual property. 

[0022] Also, with increasing speed and reliability of 
networks, e.g. Ethernet, going from 10 megabits per 
second, to 100 megabits per second and so on, it is 
realistic to implement systems whereby software can be 
executed real-time over a network So-called network 
computers Would always be accessing the laitest revi- 
sion of an application loaded on a network based 
server. Any application , in the archives of this server 
could be accessed quickly.' But such servers may be 
susceptible to someone downloading and storing the 
entire application, thereby depriving the service pro- 
vider of on-going revenue. Once downloaded Pi the soft- . 
ware could be easily shared with others. 
[0023] It would therefore be desirabje to make soft- 
ware analysis and reverse engineering, as well as soft- 
ware copying . and refuse by general purpose 
processor more. difficult. "\ ' t 

Problem: Cryptographic Key Genera tor y r 

[0024] " Cryptographic applications typically involve the 
generation/derivation of a key based on secret or pri- 
vate key information. . t . . 

[0025] A^typicii cryptograph key generator performs 
cryptographic processing oh data transmissions. * 
Scrambling data transmissions have increas- 
ingly important due io'the Weed to deter uhauthorizeid 
persons (e.g., pirates) from gaining access to data, 
transmissions. No mattier how the data is transmitted bV 
delivered, the cryptographic processing is present to 
ensure that providers of the data, e.g., the scrambling 
senders, get paid for the intellectual property they are 
transr^Mng^jn tH^ case otf a ; communications network,* 
messages jfiayibe.^ ensure the privacy of 

messages, and to authenticate both the sender and 
recipient, tt can allow for non-repudiation, to prevent a 
recipient frbm'later claiming that they did not order the 
data. Non-repudiation is important to providers because 
they have a. higher expectation of getting paid. No one 
else has the cryptographic keys necessary to authenti- 
cate messages like the bona fide buyer. The data trans- 
mission is cryptographically processed, e.g., 
scrambled, prior to transmission under one or more 
secret scrambling keys. The cryptographically proc- 
essed data transmission is received by a cryptographic 
deprocessor (descrambling receiver) such as a set-top 
box, media player, or a personal computer in a con- 
sumer's home. 

[0026] Typically, the cryptographic processing such as 
what is done by a descrambling receiver is done in a 
secure circuit. The secure circuit is provided with the 
required keys at the time of manufacture or application 
installation and initialization, and performs a type of 
processing to grant access to the data transmission. If 
access is allowed, then the decryption key is derived. 
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When the decryption key is used in conjunction with 
associated hardware or software decryption module, 
the data transmission is descrambied, e.g., made view- 
able or otherwise suitable for the user. 
[0027] The descrambling hardware or software may 
be included in a secure circuit such as an application- 
specific IC (ASIC). 

[0028] Likewise, the scrambling sender, e.g., a PC in 
someone's home scrambling information such as credit 
card numbers for delivery to a merchant over the Inter- 
net, uses the required keys loaded at the time of manu- 
facture or application installation and initialization, to 
derive a key to scramble the sensitive data for transmis- 
sion. 

[0029] In the PC example, the scrambling can be done 
in a software module, but the scrambling may not actu- 
ally take place in what is considered the. secure circuit 
The key derived in either case (for scrambling and 
descrambling) may be output from the secure circuit to 
the hardware or software scrambling/descrambling, 
module, or it may hold the key internally to the secure 
circuit - with" the decryption module internal to the 
secure circuit. Preferably, the key is held and the scrarn- 
Wing/descrambling is performed internally to the secure 
circuit. : -\- r ■ ■ 

[0030] If the key is output from the secure circuit, it can 
be changed very quickly, even several times a second, 
thereby making its knowledge only of short, lived use, e 
The hardware scrambling/descrambling hardware or 
software module may be* located remotely from trie 
secure^ circuit which derived , the , key to scram- 
ble/descramble the data transmission. 
[0031]: For a PC executing instructions over a network,, 
the secure circuit may be the PC itself, and the 
descrambling unit could simply.be a software module 
that receives a length, and pointer to, for, example, a 
message in internal or external memory, along with the - 
appropriate key, and cryptographic function identifier. - 
[0032] The function performed by the cryptographic 
processing in the secure circuit could entail message 
hashing, signing, and signature authentication using 
publicly known hashing algorithms and public key cryp- 
tography 

[0033] In both the ASIC case and the PC case above, 
a microprocessor is typically used for implementing 
access control, performing hashing, signature verifica- 
tion, signing and authentication functions. This process- 
ing verifies that the secure circuit is indeed authorized to 
decrypt the data transmission. If authorized, the micro- 
processor then derives the descrambling key for the 
data transmission. The secure circuit typically has an 
internal storage device, e.g., memory, for storing 
descrambling program information for use by the micro- 
processor, storage for storing the descrambling key 
data and state of the decoder, and a scratch-pad mem- 
ory for storing intermediate calculations and temporary 
data. The state of the descrambling receiver, e g., 
decoder, may indicate, for example, whether the 



decoder is tuned to a particular channel and the chan- 
nel identifier. The state of the descrambling receiver 
may also store whether it is authorized to receive the 
channel, and whether a program tuned, for example, is 
5 subscription, pay-per-view, or video-on-demand. 

[0034] It would therefore be desirable to make pirate 
attacks against cryptographic key generators executing 
with external memory more difficult. 

io Problem: Inflexibility of Using Internal ROM, and RAM 

Capacity issues 

[0035] .. For an ASIC, the internal memory used by the 
IC to store program information may be created from 

is read-only memory (ROM), an erasable programmable 
read-only memory (EPROM), an electrically erasable 
programmable read-only memory (EE PROM), Flash 
memory, or a battery-backed random access memory. 
Typically, the foundry processes for manufacturing 

20 ASICs with the smallest geometries and fastest circuits 
are developed and characterized for ROM-and RAM- 
based technology initially. EEPROM and Flash capabil- 
ity come at .a later time. Therefore, a performance 
advantage over other technologies may be obtained by 

25 designing the ASIC to use ROM- and RAM-based tech- 
nology. Also, it is easier for VLSI foundries to build 
devices with ROM and RAM than with EEPROM and 
Flash because of their simpler design. Therefore, the 
designer may realize a lower manufacturing cost with 

so ROM- and RAM-based designs. 

[0036] Creating an internal memory entirely out of bat- 
tery-backed RAM is generally impractical because a 
RAM ceil, with its ability, to allow reading and writing of 
data, contains many more gates and is typically a much 

35 larger structure than a ROM cell, which only allows 
reading of data. Therefore, such a RAM memory stores 
far less programming information than a ROM memory 
of equalphysical size. ' * . 

i [0037] However, there are drawbacks to storing the 

40 . programming Jrifbrrriatiori in internal ROM since the 
entire ASIC must be replaced to change the program 
information. This may be necessary or desirable, for 
example, to fix a software problem (e.g., bug), or to pro- 
vide new or customized features for different customers. 

45 To achieve this, a new chip must be manufactured with 
the change in program information. This can be very 
costly and time-consuming. 

[0038] Also, no matter how much storage of any type 
is built into the secure circuit, e.g., an ASIC, it may be 

so too much or too little for any given application. If the 
storage is larger than required, the price of the secure 
circuit is higher than necessary. If the storage is smaller 
than required, then the is either inadequate for the task, 
or features must be omitted to make the software fit. 

55 Rarely is the size of the storage just right. 

[0039] Accordingly, it would be desirable to provide an 
scheme for modifying the capacity of a storage device, 
e.g., the amount of memory, and for easily and inexpen- 
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sively updating the program information of a secure cir- 
cuit such as a cryptographic chip. The system should 
store the program information in a storage device which 
is external to the secure circuit and provide for efficient 
and secure transfer of the program information between 5 
the storage device and the secure circuit. The transfer* 
of program information should be fast enough, even 
over a network, to meet code execution requirements. 
Moreover, the amount of internal storage. e.g. memory 
required to make the secure circuit operate should be ' w 
limited. The system may use a limited amount of quickly 
accessible internal program information which could 
boot the secure circuit, monitor error conditions, inter- 
pret pseudo-code, or handle real-time processing 
events. However, this internal program information; if 1 75 
stored in an inftexfble form, e.g: ROM or read-only CD- 
ROM, it cannot be changed as easily as externally - % 
stored program information. ' ; '"' '* " • 

Problem: Securing External Storage - Authentication 20 
Overhead ... --•*' . • 

[0040] In the past; various encryption techniques have 
been used ori bytes and blocks: But pirates have 
employed a variety of "attacks" to break the security of 25 
the system. One attack attempts to get the secure cirj ■ 
cuit to read the' encrypted memory and write it out to a : ' 
clear area where the program information may 1 be cap- : 
tured and then analyzed. An attack of this type? ^aictualiy^' 
employs the decryption circuitry itself to decrypt : the pro- \ -30 
gram information precluding the need to do more extent 
sive analysis. ^ \" s \". 

[0041 ] Anothe/ attack tries to break the security of the ■ 
application itself, by changing the execution of the appli- 
cation in order to make the secure circuit, in this case, in- - 35 
the descrambling receiver, descramble premium s£rv-- T 
ices without paying the appropriate subscription fees J . to v -' 
accomplish these and other attacks, the pirates atterr^^ : 
to modify the conterits'of the external storage devSe;; 0 - 
e.g., memory. And to accomplish this, one t^hriique- *o 
used is trialing," where program information in the 
external storage device is manipulated in a trial and 
error approach. The pirate does not know which secret 
key or keys were used to encrypt the program informa- 
tion , but attempts to manipulate the program informa- 45 
tion in the external storage device until a useful 
outcome is obtained. 

[0042] To prevent these and other attacks from being 
successful, either authentication, stronger encryption, 
re-ordering of chain fields, or any combination of the so 
above, may be used. 

[0043] Authentication may be used to verify the origin 
of the program information. In a system using authenti- 
cation, the secure circuit will not process program infor- 
mation which is not accompanied by the correct 55 
authentication information. Strong prior art authentica- 
tion is expensive. However, the amount of authentica- 
tion information must be sufficiently large to provide an 



adequate level of security. In conventional memory 
encryption schemes using byte encryption or block 
encryption, authentication information would be needed 
with each byte or block which the chip fetches from the 
external storage device. For a single byte of program 
information, several bytes of authentication information 
would be needed to prevent trialing. In other words, the 
byte would need to be widened to include the additional 
authentication information. If an eight bit byte of pro- 
gram information were widened to include only 8 addi- 
tional bits' of authentication information, the 
authentication information could easily be determined • 
by trialing since, with eight bits per byte, there are only 
2 8 =256 possible trialing combinations. To provide a 
security level comparable to the Data Encryption Stand- ^ 
ard (DES), 56 bits (seven bytes) might be used to pro- a 
vide 2 s6 : =. 7.2 jx ■ 10 16 possible combinations of 
authentication information. The authentication informa- * 
tion would thus represent (7/(1 + 7)) or 87% of the over- 
all storage- This amount of overhead data is yery « 
inefficient.-- ii- r • - * - ■■■ ^ . :.. 

[0044] \AfitKbI6ck ; encryption, several bytes of data are 
grouped and authenticated in a block. For example, a: 
block size of 8 data bytes may be used. Then ; with eight 
bytes of authentication information, the overhead is still 
very high at (7/(7+8)) or 47% of the overall storage.<Th&l . . . 
excessive overhead data can Severely affect the costof . 
the cn/erall v systerYvby rfequiring^ia significantly larger r 
storage device just to handle the authentication infer- - 
mation. This is unacceptable with consumer electronic : v 
devices such as hand held games, cellular phones, and 
television decoders which must be manufactured at the \> 
lowest possible cost. Ih-pdrticlilar; the cost bfitheistor- r, : 
age' devices ^re usually a ! significant limiting factor, c 
ThiisHhe arhouht of 'authentication information'-over^ > 
head i^uriacceptably latr^e with existing data authenti-" 
cation schemes/' * . - . 

[0045] ! Accordingly, it would be desirable to have a • 
sysfeiif which minimizes the amount of authentication 
information (e.g., check bits) which is required, to 
securely communicate program information. 

Problem: Encryption of Program Information Inade- 
quate 

[0046] Trialing attacks of a single encrypted byte of 
program information is trivial to perform. Assuming an 8 
bit byte again, this requires the trialing of only 2 8 =256 
possibilities for the program information to obtain an 
exact result. For some pirate attacks, however, the abil- 
ity to simply change program information to something 
different, is a goal. In this example then, simply the abil- 
ity to trial a single byte value without influencing other 
bytes would result in a successful pirate attack. 
[0047] Trialing attacks of a single encrypted block of - 
program information is a bit more difficult but still man- 
ageable. Large general purpose Reduced Instruction . 
Set Computing (RISC) processor, for example, have 
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instructions that are 64 bits long. Assuming and 8 byte 
block and 8 bits per byte, it is relatively easy for a pirate 
to alter a block of program information and effect only 
one instruction. 

[0048] Even with instruction widths half that size, e.g., s 
32 bits, only two instructions are affected. So called 
Complex Instruction Set Computing (CISC) processors 
are equally at risk for attack And CISC processors 
described as "8 bit processors" are not really 8 bits 
because they typically require the fetching of one, two, 10 
or three operands of program information which makes 
any instruction have between 8 and 32 bits, with an 
average of about 20 bits, but this depends on the choice 
of instruction used by the program. Therefore, trialing an 
8 byte block of encryption values for so call "8 bit" 15 
instructions might only effect three instructions. 
[0049] Accordingly, it would' be desirable to have a 
more robust encryption algorithm to securely communi- 
cate program information. 

/' ' . 20 

Problem: Execution. Even Encrypted! is Observable 

[0050] Even though blocks of program information, 
may be encrypted or authenticated, someone observing/ ; ; 
the traffic of data on a communications means, e.g. bus 25 
or network, can learn about the function and design of 
the program information. The more .information that a 
pirate might learn about the program information, the . 
more ways that he might have to alter program execu- 
tion. An internal .storage circuit sucri as a pache may 30 
obfuscate some of the function and design by referenc : 
ing data that was either only decrypted, decrypted and 
authenticated, or simply authenticated from the internal 
storage circuit, rather than have to fetch the program . , 
information again externally. ~ . . - 

[0051] A problem arises, however, because the origi- 
nal communication sequence, that which loaded the 
program information into the cache in the 'first place, 
may be observed. A system without a cache is even , 
easier to analyze because recursive code, e.g., loops, 40 
can be seen on the external interface. It would easy to 
see the same encrypted, encrypted and authenticated, ~ 
or simply authenticated program information being com- 
municated over and over again. A cache will blind this 
operation by making the communication internal to the 45 
cache and not visible on the communication means. 
However, a clever pirate might notice that no external 
communication was occurring and conclude that there- 
fore some sort of internal operation was occurring. In 
principle, it is not desirable to have a pirate learn any- so 
thing about the algorithm being executed. This includes 
the overall structure such as byte to block, block to chain 
or chain to program information sequence association, 
sequence of processing such as always executing par- 
ticular program information on boot-up, and the organi- 55 
zation of the program information such as data table 
organization. 

[0052] It would therefore be desirable to have tech- 



niques for obfuscating the execution of encrypted, 
authenticated, or any chain of program information. It 
would be desirable to communicate the program infor- 
mation in a manner which is out-of-sequence from the 
true execution sequence by the secure circuit. The 
sequence may be obfuscated within a block, chain, or 
program information sequence. 
[0053] That is, it would be desirable to obfuscate the 
sequencing of the bytes that make up a block, the 
blocks that make up a chain, and the chains that make 
up a program information sequence. The sequence per^ 
mutation may be fixed and yet be different on a byte by 
byte, block by block, chain by chain, or program informa- 
tion sequence basis. It would be desirable to spread the 
sequence obfuscation to be of greater depth, that is, 
greater than a block, for instance, over two blocks or for 
that matter an entire chain. The same would be desira- 
ble for all of the other fields. . 

Problem: Sequence Permutation Algorithm mav be Dis- 
covered 

[0054] Any sequence permutation algorithm imple- 
mented in hardware may be discoverable by a pirate 
probing the "VLSI* or other analysis. The permutation 
function may be keyed and be both addresis and unit 
dependent. However, this does not preclude a deter- 
mined pirate from discovering what the key and depend- 
encies are." 

[0055] It would be therefore also desirable to have a 
way of making analysis and reverse engineering of the 
sequence permutation more difficult. 

Problem: Underlying Sequence P nes not Change - 
Address Location Alway s the Same 

[0056] 'Even with the sequence permutation, a pirate 
may observe every communication between the storage 
device and : know which bytes belong to which blocks, 
and which blocks belong to which chains. That is, a par- 
ticular address location in the storage device is associ- 
ated with a particular byte, block, or chain sequence. 
The address location will always contain the same infor- 
mation. The pirate may not know what the exact posi- 
tional information is because of the sequence 
obfuscation, but he knows that its association with the 
other bytes, blocks or chains is fixed. The pirate does 
not need to know what the value of the program infor- 
mation stored at a particular location is. The pirate can 
trial a value at that storage location. The pirate can do 
this systematically going through all values even though 
the storage location is accessed at varying times due to 
the sequence permutation techniques. 
[0057] It would therefore be desirable therefore, to 
have a scheme for dynamically changing the address 
location in the storage device where data representing a 
particular byte, block, or chain sequence is located in 
the storage device to prevent someone from systemati- 
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cally trialing code. 

Problem: Every Communication is Pertinent 

[0058] A pirate may observe every communication of s 
program information between, the storage device and 
know that it is encrypted, authenticated, sequence per- . 
muted or all of the above. . .. 

[0059] For additional obfuscatidn, it would be desira- 
ble to communicate 'dummy" or not necessarily needed iff 
data with the program information communicated. 

Problem: Bi-directional Write and Read Required 

[0060] The storage device can be read-only, but there is 
are many reason ,why the storage device should also be 
write-able. Different cryjatographic' arid non-crypto- ^ ^ 
graphic yet proprietary applications Have varying 
requirements for, datastorage. , 
[0061] Modern cryptographic applications often 20 
employ public key cryptography, which generally require 
larger keys than secret key cryptography. The scram- 
bling sender or descrambling receiver may . perform 
some type of cryptographic application which rpay* inter- 
face on an open network such as the Internet, which 25 
may require the. storing of a number of various public * 
keys, e.g.. from a Root Authority.pr Certificate Authority.^ / 
Also, with pay television decoders, there are public keys 
for the access control system and/or the decoder man- J \ • ;; 
ufacturer. Over time, many more public keys may need 30 
to be stored as a resuft of interacting on the network. " 
Some of these keys are meant to be long lived, and, for ' 
example, if the public keys may be 2048, 4096 bits, or 
larger. Consequently, a large capacity storage device, . 
e.g., large amount of read/write storage may be 35 
required for storage of keys and other relatedjnfomria- rf . . 
tion to effect a viable cryptographic application. J, , 
[0062] The same can be said for many proprietary; V 
applications, the trend, is to process more and J^ore ^ ' 
data. It is desirable "to. have ,gn^t flexibility with 4o 
and amount of storage for writing and later retrieval of 
program information as. there is for just reading program 
information. . ' 

[0063] Accordingly, it would be desirable to have a , 
secure bi-drectional communication between an exter- 45 
nal storage device and a secure circuit, where this has . 
the flexibility to accommodate growing requirements for 
additional program information storage without requir- 
ing a design change of the secure circuit. Also the secu- 
rity of the overall implementation cannot be diminished, so 

Problem: Communication with Non-Secure Outside 
World and Alternative Security Modes 

[0064] The secure circuit may have to interface with ss 
display devices, peripherals or computers which do not 
have a decryption means. This is important where inter- 
activity with a human is involved. For example, if a cus- 



tomer input a Personal Identification Number (PIN) code 
wrong, it may be necessary for the secure circuit to 
inform the customer of the problem so that the PIN may 
be reentered. This may require communication with the 
host device of a error condition or of an error message 
which may be displayed appropriately on a screen. 
There may be a shortage of pins, communication ports, 
or buses which may be dedicated to external communi- 
cation. 

[0065] The execution of some program information 
may have reduced, execution latency requirements' 
requiring an alternate communication mode other than 
by chains. Also, the secure circuit may need to inter- 
pperate with other devices with have different security 
schemes. 

[0066] It would also be desirable to provide a condi- 
tional clear mode whereby no encryption/decryption, 
authentication generation/verification, or sequence per- 
mutation of the program information is performed. This 
conditional clear mode would not only allow a possible 
chip debug facility, but also allow the secure circuit to 
interface, send and receive clear data, with the world at 
large, such as display devices, other computers, and the 
like, thereby ail owing the communications means to be 
used'formore than the conveyance of program informa- 
tion, this woujd reduce the number of separate pins,' 
communication ports, 'and buses used for external com- 
munication. : 1 

[0067] It would also be desirable to switch off the chain 
ehcry^ption/decryptibn, authentication generation/verrfi- 5 
cation, or sequence permutatibn of the program infor- 
mation, in favor of a different type of Encrypt/decryption, 
autherticatiorWierificatioh, or sequence permutation - 
that is hot based on chains. For example, instead of a 
chain, byte or block processing may be used. 

Problem: Detection of Chain Lengths 

[0068] A pirate may be able to analyze the 'execution 
of the proigram information to determine what program 
information belongs with a particular chain. That knowl- 
edge could allow a pirate to trial program information in 
a more selective fashion. In principle, it is a good idea to 
prevent a potential pirate from learning anything about 
how the program information is executing. 
[0069] It would therefore be desirable to communicate 
blocks of program information with variable chain 
lengths in random sequence from one chain to the next 
with no particular consideration being given to the pro- 
gram information being executed. 

Problem: Different Latency Requirements 

[0070] Real-time interrupt subroutines have different 
execution latency requirements than background or 
maintenance routines. There is a natural tendency for a 
designer to make shorter chains for all of the program 
information to simply handle the faster execution 



7 



13 



EP0 908 810 A2 



14 



requirements of real-time interrupt subroutines. But 
reducing chain lengths for all of the program information 
may unnecessarily increase the storage capacity of the 
storage device to accommodate the increased amount 
of authentication information. s 
[0071] It would therefore be desirable to communicate 
blocks of program information and associated authenti- 
cation information in block chains, where different 
chains lengths may be used for communicating different 
types of program information with different latency io 
requirements. Routines placed in lower address loca- 
tions could have lower latency, while those in a higher 
address location of a storage device could have higher 
latency requirements. 

* 15 

Problem: General Communication/Storag e Latency 
Requirements 

[0072] While certain routines may have special execu- 
tion latency considerations, the latency may still be too 20 
much for certain applications. Consequently, means - 
must be explored to allow for more efficient communica- 
tion and storage of program information. ' ' 
[0073], It would be desirable to design certain features 
into the architecture of the communication meah£, arid 25 
secure circuit in order to help reduce program informa- 
tion latency to help speed up execution: ' r ' ; 

Problem: AuthenticationWerification Latency Require- 
ments 4 . * '[ / ' 30 

[0074] While certain roiitines may have special execu- • • 
tion latency Considerations, the latency due to autheriti- 
cation/verificaition 'may- .still be too much for certain 
applications. Consequently, means must be explored to r is 
allowfor more efficient authenticatioh/verificatiori. 
[0075] It would therefore be desirable to design cef- : ' : " 
tain features into the authentication/verification function ; 
to help reduce program information execution latency 

* " ' AO 

Problem: Endrvbtion/Decrvption Latency Requirements 

[0076] While certain routines may have special execu- 
tion latency considerations, the latency due to encryp- 
tion/decryption may still be too much for certain 45 
applications. Consequently, means must be explored to 
allow for more efficient encryption/decryption. 
[0077] It would be therefore be desirable to design: 
certain features into the encryption/decryption function 
to help reduce program information execution latency. so 
[0078] The present invention provides a system hav- 
ing the above and other advantages. 

SUMMARY OF THE INVENTION 

55 

[0079] In accordance with the present invention, an 
apparatus is presented for securely communicating 
encrypted blocks of program information between a 



storage device and a secure processing circuit in cipher 
block chains. 

[0080] An apparatus is presented for securely commu- 
nicating authenticated blocks of program information 
between a storage device and a secure processing cir- 
cuit in block chains. 

[0081 ] An apparatus is presented for securely commu- 
nicating re-ordered fields of program information 
between a storage device and a secure processing cir- 
cuit in chains. 

[0082] ; The present invention further provides an 
apparatus for cryptographically generating a key 
whereby the' key may be used to gain access to a data 
transmission or the like. 

[0083] In one aspect of the present invention, an 
apparatus for securely communicating blocks of pro- 
gram information between ; a ; storage device and a 
secure circuit includes means for providing at least one 
block of program information including a particular block 
comprising a plurality of bytes having a first byte 
sequence. 

[0084] One block buffer sized to store one block of 
data is all that is required for a minimal implementation 
since the data can be processed serially, one block at a 
time 

[0085] Means, such as an address generator, are pro- 
vide for storing the block(s) of program information in 
the storage device. 

[0086] Cipher block chaining is a robust encryption 
algorithm because a change in one block will cascade 
changes to other blocks making it difficult for a pirate to 
effect a simple change to the program information. 
[0087] Cipher block chaining may be used to both 
hash and encrypt for privacy. The last clear text block 
may be exclusive ORed (XORed) on the encrypted 
authentication block to provide a dependence of the 
entire cipher block chain on the decryption of the 
authentication block. 

[0088] For- example, the program information and 
autheritication information may be carried in two or 
more eight-byte blocks. Block chaining is efficient due to 
the relatively low overhead of the authentication infor- 
mation relative to the authenticated data. The authenti- 
cation information is XORed with the last clear data 
(e.g., program information) block and optionally 
decrypted and to yield a verification value. The value is 
compared to a value which is known by the hardware to 
verify that the authentication data is correct. The value 
may be different for different chains or it may be fixed for 
all chains. To provide additional separation between 
keys, the key used to decrypt the authentication infor- 
mation may be different that that used to decrypt the 
authenticated information. Also, with each decryption 
operation the key may be modified with the address to 
provide address dependency of each block within a 
chain. 

[0089] For more robust security, cipher block chaining 
may be used along with another hashing algorithm. 
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There is no additional latency penalty for doing this 
since each block must be processed in a serial fashion. 
When the first block is decrypted it not only is XORed 
with the cipher text of the second block, but it is also , 
submitted to the authentication circuit. The'last block is 5 
the authentication bits, and it does not require siibmisr. . t 
sion to the authentication circuit, it is simply decrypted 
and compared to a value held in the hardware.,. . ^ 
[0090] A first communication path such as a bus is: 
provided to communicate blocks of the program infor- . 70 
mation and authentication information between the 
external storage device and the one or more block buffr. 
ers in a chain. One block buffer sized to storepne block , 
of data is all that is required for a minimal implementa-- . . . 
tion since the data can be processed serially one bjock „ is 
at a time. The authentication information is read in and , 
verified by the authentication circuit. ; , ;: i ^ 
[0091] . The program information is decrypted, if nec- - j 
essary, in a.deciphering circuit, which is associated with, 
the authentication circuit. Cryptographic key date from ( 20 
an associated storage. device may be used for this pur- 
pose. • .>.■'■'-,.•; 

[0092] If a pirate changes ; any data in preceding r . 
blocks in the chain for trialing, the computed hash data . * 
that is compared with the authentication information will : 25 
be incorrect, and the resulting verification value will not ^ 
match. The secure circuit, such as an ASIC, or. PC, will 
then know that tampering has occurred and counter: 
measures may be taken. w < r . ^ 

[0093] There are a number of ways^he authentication 
operation can be. implemented; The. hashing may be B : v 
keyed, e.g. using a secret .key.-.wipv the au^enticatjon^ ; 
information in-the=-clear, or the : hashing may not ,be : 
keyed and the authentication information is, encrypted*, 
or for more robust security, the,hashing is keyed.and the '._ } ?s 
authentication information is encrypted. Different; key%y ne 
may be used to hash and to decrypt. The,hashlp5 key^r. 
may be a secret key, while the:authenticatio^. ^nform^ a0 7 
tion may be encrypted under a public key.-n^asarne key, 
used to encrypt: the authentication information may be 
used to encrypt the program information beipg authenti- * 
cated. That has the benefit of the authentication infpr- 
mation being treated in a similar fashion as the. program * 
information. However, using a separate key would add 
another level of security. 45 
[0094] . In an alternative embodiment, block encryption . 
is used for privacy. When decrypted, the blocks are 
authenticated. The authentication technique used can 
be a hash which might require a strict order of hashing, 
e.g. block #1 hashed, then block #2 hashed with the out- so 
put of the hash of block #1 , and so on. Known algo- - 
rithms such as MD5 and.SHA may be used for this type 
of strict hashing; 

[0095] Although such hashing may be used, the hash- 
ing can introduce a latency due to the serial nature of ss 
the operation. A simplified hashing function can be pro- 
vided that performs an XOR of all of the clear blocks. 
That hash value can be verified with the authentication 



information. In fact, the authentication information can 
be XORed as a block along with the program informa- 
tion. This technique improves program information exe- 
cution latency, which is important for real time operating 
systems. Here, each block of data can hot only be 
decrypted independently as in Electronic Code Book as 
called out by FIPS, but also XORed independently while 
computing the hash for the entire chain. This technique, 
which is termed "simple block chaining", emphasizes 
reduction in execution latency. 

[0096] Detection of illegal op-codes or illegal inter- 
preted code commands may be used as a form of 
authentication. Upon receipt of an illegal op-code or 
command, the system can decide how to respond, e.g., 
reset, increment a counter, or some other action. 
[0097] The creation of an illegal op-code toy a pirate 
depends on the instruction set of a given processor. 
Some instruction sets are fully developed and have few, 
while other instruction sets, are reduced and have more 
undefined, orf illegal oj>codes. If an instruction set. for 
example, had 20%, undefined or illegal op-codes, then 
that means that a pirate has an, 80% chance of ran- 
domly c.reatipg.a legal op-code. This is hot to say that , 
the pirate generated aJparticular op-cpde rather a legal 
one. But a random legal op-code other than the 
intended one could make* for a successful pirate attack. 
For example, this might be the case if simple nullifica 1 
tion of the original qp-code . was the goal. With the odds 
of 80% in favor of a pirate; this method of simply detect-;: 
ing illegal op-codes leaves much to be desired. 
[0098] .-Illegal op-code detection's a form of authenti- 
cation, is more . effective with . cipher blobk chaining/ 
becay.se the odds of ia' pirate creating an illeg'^ 
are increa£edas each subsequent block in a particular 
chain will bg affepted. p^r example, if tN 
blocks of JnWmctipns in a chain then the odds of a pirate 
being successful if the pirate, alters the very first bfock of 
the cr^in js as follows: (.8) li >= 0.Q28. The situation has 
, changed, the "pirate now has" approximately 97 % 
chance of failing.. Cipher block chaining is a more robust 
encryption method foi this reason - this implicit authen- 
tication through the detection of illegal op-codes. But 
cipher block chaining is also better because it makes it 
more difficult for a pirate trialing the encryption of pro- 
gram information to isolate any changes made to a sin- 
gle block thereby increasing the odds of creating 
unintended op-codes with unwanted side effects. 
[0099] A problem is that the external storage device 
stores more than just op-codes. Only op-codes can be 
verified by the instruction decode circuitry of the CPU.. 
More robust security requires explicit authentication. - 
[0100] Authentication can be performed by either 
XORing the authentication information with hash of the 
clear text data blocks to produce a verification value that 
is subsequently compared to a pre-stored value, or the 
authentication information can be simply compared to 
the hashed program information. 
[0101] The authentication function may optionally 
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hash blocks of program information that were communi- 
cated in the clear to XO R with the decrypted authentica- 
tion information. In order to prevent pirates from 
creating their own authenticated program information 
using a known hashing algorithm, a cryptographic key s 
must be used. This can be done two ways - keying the 
hashing or keying the authentication, or both. 
[01 02] Simple block chaining, an alternative technique 
which addresses latency problems, uses a singular . 
block encryption of each block of program information. 10 
Thus, each block is encrypted and decrypted independ- 
ently so processing may occur in parallel. Moreover, the . 
entire chain, or group, of blocks is authenticated.. One n 
method of hashing is to XOR the program information . 
blocks together and with the authentication information, fs 
This can be done all at once. 

[0103] More complicated hashing may be.used as well 
for more robust security, but these methods may intro,- ; 
duce a serial, dependence, whereby one block may 
need to be hashed ahead of another block. Simple block . 20. 
chaining, using the encryption and authentication proc- 
ess described above, reduces the authentication bit 
overheads as with cipher block chaining, but can avoid 
the latency problems of cipher block chaining when par- - 
allel deciphering circuitry is used. If only a single block 25 
buffer is used, then the latency is about the same for 
cipher block chaining and, simple block chaining, the , 
only difference being, that the output of one block / 
decryption is XORed with the output of the next decryp- ; ' 
tion (with si mple block chai ning) rather than the input to }o 
the next decryption (with cipher block chaining). ' , 
[01 04]. The si mple, block chaining method, decrypting 
and authenticating using the XOR of clear blocks, suf- ; 
fers from the problem that any of the blocks may be re- 
ordered out of sequence and the authentication will still 35 
check out. So while decryption and Authentication oper- j 
ations may be done in parallel, a potential problem has / ^ 
been introduced. Encryption, with address dependency, * 
should be used with simple block chaining using the " ^ 
simple XOR hashing function. _ - -1 40 

[0105] That is. the key used with each block in the ; 
chain would be different with the key being a function of 
the address of the specific block. If DES encryption 
were used, changing any of the program information of 
a block for trialing would cause approximately half of the 45 
bits in the decrypted output to change, causing the 
authentication verification to not check out. Without 
knowledge of the key, it would be difficult for a would be 
pirate to find the proper authentication information to 
compensate. 50 
[0106] In an attempt to reduce program information 
execution latency, the authentication may be performed 
on the cipher text data using either a keyed hash or 
encryption of the authentication information. Decryption 
and authentication may operate simultaneously, and not 55 
authentication after encryption. For simple block chain- 
ing, this has a problem that address-dependent decryp- 
tion will not have been performed on the program 



information, possibly making it vulnerable to being sub- 
mitted to the decryptor out-of-sequence. 
[01 07] Random sequence permutation of fields within 
a chain during the communication between the external 
storage device and the secure circuit may be used. 
Means, such as a data bus or network, are provided for 
communicating the program information with the secure 
circuit. 

[0108] Means associated with the secure circuit are 
provided to re-order the re-ordered fields of the chain to 
recover the fields in the first field sequence. A chain of 
program information may be re-ordered into two or more 
fields. re-ordering<may be provided. 
[0109] ' That is, the blocks may be communicated 
between the external storage device and the block buff- 
ers in a random, non-sequential sequence that does not 
reflect the true execution sequence of the blocks by the 
secure circuit. Moreover, re-ordering may occur for 
bytes within one or more blocks, or for entire chains. 
Any field may be re-ordered. 

[0110] r Such non-sequential transmission is effective 
in deterring a pirate from ascertaining the program infor- 
mation structure, sequence, and organization executing 
in the secure circuit. By re-ordering any field with a 
chain or chains, or the relative position of entire chains 
in a program information sequence or multiple program 
information sequences, ia pirate is deterred from detect- 
ing information regarding the execution sequence of the 
program information in the processing circuit. With re- 
ordering, a pirate may then be deterred from easily, 
learning the correct clear text or cipher text of the pro- , 
gram information making certain cryptographic attacks 
more difficult to accomplish. Preferably, the program 
information is encrypted for increased difficulty of anal- 
ysis. - 

[0111] An alternative embodiment of this apparatus 
communicates the blocks of program information from 
the storage device to the secure circuit while substan- 
tially randomly re-ordering the fields of a program infor- 
mation sequence.- A new sequence is used to 
communicate the fields from the secure circuit back out 
to the storage device thereby changing the field associ- 
ated with a particular storage location in the storage 
device. Means are provided internally to the secure cir T 
cuit to store the new "true" sequence of the program 
information in the storage device. 
[0112] The new underlying sequence order for. the 
fields of a program information sequence are then 
stored in the secure device so that futures communica- 
tions to the same blocks will allow the correct re-order- 
ing based on the new sequence in the secure circuit. 
Means, such as a data bus or network, are provided for 
communicating the program information with the secure 
processing circuit. 

[01 1 3] While the bytes may be re-ordered when com- 
municated between the storage device and secure cir- 
cuit using the sequence re-ordering techniques above, 
each byte of program information is still associated with 
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a particular storage location. For example, the first byte . 
of the first block of the first chain of a program informa- 
tion sequence is always located a particular storage 
location even though the pirate may have problems 
ascertain that in fact it was the f irst byte of the first block 5 
because of the re-ordering. The pirate may then none- . 
theless trial the value at that particular storage location . 
(e.g.. address) in a systematic and organized way. 
[0114] Changing the underlying storage location of 
data in the storage device, prevents, a pirate from trialing 10 
the program information stored in a particular location in 
the storage device. By dynamically changing the pro- 
gram information location in a storage device after each . ; 
use, a pirate trialing program information at a particular v , 
location in the storage device will not be dealing with . is 
precisely the same program information each time. The. . . 
attack therefore becomes intractable. , . * 
[01 1 5] In a further aspect of the present-invention, the . . . 
data sub-fields, bytes, blocks, chains and program infot- 
mation sequences may. be. fixed. and not random. The \20 
sequence may be different for each byte, block, chain or - , 
program information sequence, accessed. This is a per- 
mutation that is performed differently on appropriate . 
fields on the incoming program .information. Advanta- r , 
geously. this permutation function can be easily imple-^ 25 
mented in. hardware since it is not randomized. - • ;r ^ 
[0116] In a particular implementation. the.$^re cir- : 
curt uses program information for generating-axryptq: . . - 
graphic key - , ^ v v; ! ■ "om 

[0117] :» The program information is -encFygted. using . 30 y 
cipher block chaining, and optionally a^henticat'ed.^. VCt 
and/or re-ordered. In another embodiment toe program.^ .. ; 
information is authenticated, and /optionally eriaypted. . 
and/or re-ordered using block chaining. In another . 
embodiment, the program. information is* authenticated - c 35 
and optionally encrypted and/or ,re-ordered using block ; T( .J, 
chaining. :a ■ ;pbXv3 sr:- 

[0118] The.key may be used ip ; software to dw^txjr Vi[i7;J 
descramble a data .transrnission .^y^authenticatin^ the * ^ v 
instructions,: a pirate .is deterred from providing phony % 40 
program information to the secure circuit descrambling , 
the data transmission, r • . . . 

[0119] In another aspect of the present invention, a 
secure circuit uses program information for generating a 
cryptographic key. The key may be used to descramble 45 
a data transmission in hardware. Depending on the par- 
titioning of the secure drcuit, the descrambling may be 
done internally or externally. 

[0120] The key may be generated and handed to a 
software module to descramble the data transmission, so 
The software module may be internal to the secure cir- 
cuit or external to the secure circuit. 
[0121] In both instances above, the secure circuit, 
may consist of an integrated circuit (IC). having an 
authentication circuit, a central processing unit (CPU), ss 
and one or more block buffers which are adapted to 
store one or more blocks of program information. 
[0122] The external storage device may be a flash 



memory, an erasable programmable read-only memory 
(EPROM), an electrically erasable programmable read- 
only memory (EEPROM). a battery-backed random 
access memory (RAM). RAM, or a combination of the 
above. It may also be a hard disk drive, or CD-ROM or 
any type of mass storage device. The external storage 
device also stores authentication information (e.g., 
check bits) for authenticating the program information 
when it is received in the secure circuit. In some imple- 
mentations, it is desirable for the contents of the storage^ 
device to be copied to a faster storage device such as 
synchronous dynamic memory so that the secure circuit 
can fetch program information from the faster storage 
device, e.g.. dynamic memory, rather than the slower 
storage'device with its associated latencies. For exam- 
ple, a network computer may copy program information 
from the server over the network. The faster storage 
device may be local, white the slower storage may be. 
remote; in the network corhputer case; accessed over 
the network. ; - ■ : — - ^ 

[01 23] To, reduce overall latency of execution of real- 
time executing code, the first communication path may 
have a sufficient bandwidth, so that two or more of the 
strings, one or more blocks; pr one or more chains to be 
communicated to the Block buffers substantially at;the 
same time.; \ ..... . . ~ ^ 

[0124],, The "program irtibrrration i bus is typically* not 
wide'r ihan theinirtrU^ because there is a bot- 

tleneck problem. The'CPU iVohly executing at a partic- 
ular rata ""The prbgVaro inf6rrT^tibh , would have lb' be- 
stored, somewhere. V^eyer,J;S^en there is : latency 
associate . wrth other processing - ^^fencryptibn dr autheh^ 
ticatiojri"- this ca^ * 
[Q12S]' For exarii^i^!.&ib secure circuit : may t ead more 
than ,on,e bjock bf ^^ya^lH*?^ 3 ^ 11 ^sferitially con-' 
curreptfy^^^ is : used to 

store Jthe additional blocks, eig.fone buffer per block. In 
the secure circuit, the authentication circuit receives the 
prograrri information and authentication information 
from the one or more block buffers for use in authenti- 
cating the program information. In a second communi- 
cation path in the IC. the authenticated program 
information from the authentication circuit is provided to 
the CPU to be executed to thereby decrypt the scram- 
bled data transmission. The program information may 
include a plurality of strings of instructions, such as lines 
of computer code, or related data sequences, which are 
to be processed in succession by the CPU. 
[0126] A cache may be arranged in the second com- 
munication path to temporarily store the authenticated 
program information before they are provided to the 
CPU. The cache may store at least one of the strings of 
program information so that at least two of the strings of 
program information may be provided to the CPU sub- 
stantially concurrently (e.g.. the stored string and the 
last authenticated and deciphered string). In this man- 
ner, the. program information is efficiently communi- 
cated to the CPU. The advantage of a cache is that the 
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CPU may fetch already authenticated program informa- 
tion from the cache rather.than using the external stor- 
age device communication means. e.g., bus or network, 
which involves various latencies. 

[0127] When a first chain and a subsequent second s 
chain are communicated from the external storage 
device to the one or more block buffers, the authentica- 
tic-" circuit authenticates the, first and. second cipher 
b! y. chains, to provide corresponding authenticated 
pi c^ram information. Additionally, the CPU may process ?Q 
at least a portion of the authenticated program infornria-. 
tion from the first chain while the authentication circuit is 
authenticating at least a portion of the program informa- 
tion of the second chain. Deciphering of the program 
information when required may similarly be performed is 
in an overlapping manner. 

[0128] An alternative embodiment of this apparatus 
communicates the fields of program information . 
between the storage device and the secure circuit while 
communicating f ields that are not used by the immedi- , 20 
ate, e.g. current or next, program information 
sequences processed by the secure circuit. This obfus- 
cation technique uses dummy fields of data that may be 
simply chaff, e.g., never used by theisecure circuit dur:" 
ing any program information execution, or .they may be 25 
part of other program information sequences tyat are 
simply not currently being processed between , the , 
secure circuit and the storage device. Means associ- 
ated with the secure circuit are provided to eliminate the ~ ' 
dummy bytes of the particular blocks to recover the \ 3d 
bytes in the first byte sequence, and subsequent byte \i ". \ 
sequences of the remaining blocks. The dumrriy bytes . 
may optionally be used during decryption and/or . 
authentication prior to elimination after being received 
by the secure circuit. Additionally, . blocks, and chains .35 
that may be eliminated in the sam&.way are.providedl , r . : 
[0129] Cipher block chaining or. simple block chaining 
as described herein may be used to both hash: and 
encrypt for privacy. For example, the program informa- . ^ 
tion and authentication information may be carried'. in 40_ 
two or more eight-byte blocks. Block chaining is efficient ' 
due to the relatively low overhead of the authentication 
information relative to the authenticated data. The 
authentication information is XORed with the last clear 
data (e.g., program information) blocks and optionally 45 
decrypted and to yield a verification value. The value is 
compared to a value which is known by the hardware to 
verify that the authentication data is correct The value 
may be different for different chains or it may be fixed for 
all chains. so 
[01 30] Using cipher block chaining to both encrypt and 
hash, is a way to reduce the amount of hardware asso- 
ciated with the security function. Only one buffer is 
needed as all blocks by necessity are processed in a 
serial fashion. The XOR function is more robust than 55 
that done in simple block chaining because it is difficult 
to make a change in one block and be able to compen- 
sate for it by changing an other block. Since the XOR is 



done prior to a decryption step, it is more difficult to. 
manipulate a block to cancel any change made. How- 
ever, serial processing is required. 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0131] 

FIG. 1 is a schematic diagram of a cryptographic 
key generator/descrambling receiver apparatus in 
accordance with the present invention. 
FIG. 2 is a schematic representation of a cipher 
block chaining encryption scheme in accordance 
with the present invention. 

FIG. 3 is a schematic representation of a cipher 
block chaining decryption scheme in accordance 
with the present invention.., 

FIG. 4 is a schematic representation of a simple 
block chaining encryption scheme in accordance 
with the present invention. 

FIG. 5 is a schematic representation of a simple 
block chaining decryption scheme in accordance 
with the present invention. 

FIG. 6 is a schematic diagram of an alternative 
cryptographic key generator/descrambling receiver 
apparatus in accordance with the present invention. 

DETAILED DESCRIPTION OF THE INVENTION 

[01 32] An apparatus is presented for a secure proces- 
sor. The preferred embodiment emphasizes security. 
[0133], Encrypted, authenticated, and sequence-per- 
muted blocks of program information and dummy data 
are securely communicated between an external mem- 
ory and a cryptographic ASlC in cipher block chains. 
Processing of the program information allows the ASIC 
to derive a key which is used to decrypt digital packets 
of video and" audio for subscription television. 
[0134] .,' RGL 1 is a schematic diagram of a crypto- 
graphic key generator/descrambling receiver apparatus 
in accordance with the present invention.. The descram- 
bling receiver, shown generally at 100, includes a 
secure circuit, e.g., an integrated circuit (IC) 105 such 
as an ASIC, iand a storage device, e.g., memory l ib, 
which is external to the ASIC 105. The memory 110 is 
external to the ASIC 105 since the memory 110 is not 
embedded within the ASIC package. For example, the 
memory 1 10 and ASIC 105 may be provided as sepa- 
rate packages on a decoder motherboard. 
[0135] In either case, the memory 110, can be 
increased or reduced by removing and replacing the 
memory IC, without interfering with or modifying the 
secure circuit 105. Additionally, new program informa- 
tion such as patch code may be downloaded to the 
external memory 110, via a telephone fine, satellite link, 
or cable television link, for example. Alternatively, the 
program information could be installed locally at the 
descrambling receiver such as via a smart card, or 
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either connected by a socket or soldered to the same 
board. Or, the memory 110, itself could be located in a 
smart card, in which case a new smart card could be 
provided at a relatively low cost to upgrade a decoder. 
Advantageously, this arrangement provides substantial 5 
benefits by allowing the program information (e.g.. soft- 
ware or firmware) which is stored in the external storage 
device 110, to be easily upgraded or modified to provide 
new features or to fix software problems. 
[01 36] For example, the external storage device 110 10 
can be easily replaced or modified to provide custom- 
ized features for businesses or individuals, or to provide 
specific features to groups according to factors such as 
demographic profile, geographical location, time zone, 
and the like. ■ ■ ■ - • ^ 15 

[0137] In contrast, if the memory 110 were in ROM 
and internal to the ASIC 105, the ASIC would have to be 
replaced altogether, thereby resulting in significant ' 
costs and delays. The ASIC may be built using 
advanced VLSI processes that use RAM arid ROM 20 
technology to achieve high processing and bit transfer 
rates not only for the transfer of program information" 
between the ASIC and the external memory- but for^ 
internal execution out of the cache, and for the 
descr ambling of the digital packets of video and audio. [ 25 
The ASIC created out of RAM £nd ROM technology can ' 
decrypt a higher bit, rate of packetized data than an . 
ASIC created out of alternative technologies. The exter- 
nal memory thus provides the ASIC with greater flexibil- . , v 
ity. r "*'**" .'"""* '. . '"-V '3d 

[01 38] The external storage device 110 may be a flash 
memory, an erasable programmable read-only memory * = 
(EPROM), an electrically erasable PROM (EE PROM), l 
or a battery-backed volatile memory such as a random 
access memory (RAM). Alternatively, a conventional 35 
read-only memory (ROM) may be used. " ' ; . 
[0139] An EPROM allows the programming in the" 0 
memory to be reversed by exposure to intense oltrSvio- ^ ^ 
let light. New code may be easily stored in the EPRplvi 
in a process known as re-burning. An EEPROM is after- " 40 
able by using a large electric current to reset the internal 
memory cells, By using EEPROM or battery backed 
RAM, the external memory may also be used to store 
short term and long term data. The memory space 
could also be partitioned to provide different physical 45 
devices so that different memory types may be used 
together. On power-up, the non- volatile memory may be 
copied to much faster memory such as synchronous 
dynamic memory. This can reduce latency in the 
read/write operations of the external memory. so 
[0140] The external storage device 110 may be 
encrypted using cipher block chains, or using simple 
block chains, may be authenticated and, optionally, 
encrypted. The program information can be used by the 
ASIC 105 to decode a scrambled data transmission. 55 
The program information may comprise lines (e.g., 
strings) of code which are to be executed by a central 
processing unit (CPU) 170 in the ASIC 105. Each line 



refers to an executable command or data used by the 
program. The code may conform to a reduced instruc- 
tion set computer (RISC) architecture, where each line 
of code can be executed in a single chip clock cycle. 
[0141] The program information is processed using 
Cipher Block Chaining. The block encryption method is 
triple DES. Three Keys are available for use. One key is 
used with the high order address lines. Another key is 
used with the low order address lines. This provides 
address-dependent decryption: The third key may be v 
unit-dependent. 

[01 42] The hashing algorithm can use double feed-for- 
ward hash (DFFH), for example, as described in U.S. 
Patent application serials number 08/577,922, filed 
December 22, 1995. The hash is keyed. The key may 
be an XOR of the address and unit key to provide both 
address- and unit-dependence to the authentication. 
Different hashing algorithms may be used" whereby the 
keys could beappended together rather than XORed. 
[0143] In the preferred embodiment, op-codes gener- 
ated are processed by an Instruction decoder 172. Ille- 
gal op-codes can be flagged by an illegal op-code 
detector 1 74 in the instruction decoder coder 172: with 
the appropriate action taken. For example,. the CPU 170 
may send a signal to ah alarm circuit 16£, which in turn 
sends a kill (erase) signal to a storage device 150 which 
may store' initialization vectors/ decryption keys; and : 
authentication keys.' * - ~ ! 

[0144] With cipher block chaining^ any trialihg of pro- 
gram information!, will cause every subsequent block to 
decrypt differently. _ ; .V , . 
[01 45>] \ Furthermore, the address 1 lines of the external - 
storage device may b^'scrarribled such that seKjuential 
blocks " of the program ' information" are Stored non- 
sequentially. That is, the bytes, which may each include* 
eight bits; for example, : 6ari be stored in non-sequential 
address Ideations of the storage. Thus, the external 
storage device 1 10 is said to be a scrambled memory. A 
key may be used here as well. A Key may be different on 
a group'or unit basis. 

[0146] The storage device 1 10 also stores authentica- 
tion information for use in securely communicating the 
program information to block buffers 130, 132 and 134 
of the ASIC 105 via a bus 115. The authentication infor- 
mation, also known as check bits, is communicated to a 
check bit block buffer 136 of the ASIC 1 05. 
[0147] Authentication information is data that is 
appended to a message, e.g., chain of program infor- 
mation, to enable a receiver to verify that the message 
should be accepted as authentic. The authentication 
information is a function of the message (e.g.. chain) 
contents, such as when a hash value or cryptographic 
checksum is used. A hash value is a fixed length value 
which is obtained by mapping a chain of data of any 
length with a public function. In the preferred embodi- 
ment, the hashing is keyed, and the authentication infor- 
mation is encrypted under a different key. 
[0148] The program information of the external stor- 
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age device 1 1 0 is communicated via a bus 1 1 5 to one or 
a numb^ N of block buffers, including, for example, 
block buffers 1 30. 1 32 and 1 34. While a plurality of block 
buffers are shown, a minimum of one is required. . 
[0149] The encryption/decryption circuit 120 is pro- 5 
vided to encrypt or decrypt the blocks. The circuit 120 . 
may also provide enciphering, for example, when clear 
text data is received by the block buffers or other source, 
and it is desired to encrypt the clear "text data. The enci- 
phered data can subsequently be transmitted via the to 
buffers to the external storage device. 
[0150] An authentication circuit 125 hashes the clear 
text blocks of program information using, for example, . . 
the above-mentioned DFFH function. The authentica- 
tion can be perform in a concurrent serial fashion as the 75 
blocks are decrypted. When block 1 is decrypted, it can 
be hashed. When block 2 is decrypted, it can be hashed 
with the output of the hash of the first block, on so on. V 
The hashing of the data is keyed such that only knowl- . 
edge of a secret or private key can generate the correct so 
hash. . Alternatively, as mentioned above, . decryption 
occurs for authentication information, e.g., check bits, . 
that, when XO Red with the authenticated data (e.g., 
program information), results in a known value that may 
be verified by the. hardware. The authentication circuit 25 
1 25 and encryption/decryption circuital 20 can commu- 
nicate with one another, and may share common cir- 
cuitry. ; j :,■ 
[0151] Cipher block chaining may be is used for tlje : 
block chain which is communicated from the external $o 
storage device Jo the secure circuit 105. Cipher block 
chaining is discussed in W. Stajlings. Network and Inter- 
network Security, IEEE Press, Englewood Cliffs,, New. 
Jersey, U.S.A., pp. 59-61 , 1995, incorporated herein by . 
reference. Cipher block chaining can be used for 'both 7.. 34 
encryption and hashing, but in a preferred embodiment, ^ 
it is used simply for robust encryption. A separate hash-^/^ 
ing function is used, the block encryption algorithm _ 
used with cipher block chaining is triple DES. J "■ 7 
[0152] Chains lengths can vary between 16 .and 32 40 
blocks. Chain lengths are varied on a chain by chairij 
basis according to key and address parameters. 
[0153] The sequence order that the blocks are com- 
municated between the memory and the ASIC is ran- 
dom. A random number generator associated with the 45 
address generator accessed the proper storage loca- . 
tions of the blocks in memory. 

[01 54] Authentication information is sent as one of the , 
1 6 to 32 blocks communicated. It can be communicated 
in any sequence. When decrypted, it is compared with so 
the hash value. 

[0155] For example, N=16 blocks may be used in the 
cipher block chain, with each block having eight bytes of 
data. With cipher block chaining, each encrypted block 
of data depends on the clear text data of the current ss 
block, as well as the clear text data of all preceding 
blocks. Block chaining enhances security since the 
same clear text input will yield different encrypted data . 



depending on the other clear text blocks. Additionally, 
the overhead data which is allocated to the authentica- 
tion information is significantly reduced. If one of the 16 
blocks is devoted to authentication information, then this 
represents only 1/16= .0625 or 6.25% of the program 
information. If N=32, then the figure would be 1/32 = 
.03125 or 3.13%. In the ^preferred embodiment, the 
chain size can vary between 16 and 32. so on average 
the figure would be 1/24 = .041 7 or 4.1 7 %. That is. only 
4.17 % of the program information is authentication 
information. 

[0156] This could vary if, for example, two blocks 
instead of one' block of authentication information were 
provided. There are many possibilities. But, chaining 
dramatically lowers the required storage capacity 
needed just for authentication. 

[0157] Chaining also allows the use of smaller mem- 
ory components, which greatly reduces the cost of the 
system, and/or increases system throughput since the 
amount of authentication information which is accessed 
from the storage device is reduced. Cipher block chain- 
ing is also discussed below in connection with FIGs 2 
and 3. 

[0158] A potential disadvantage of cipher block chain- 
ing is the latency in instruction execution when a new 
code segment which has hot been decrypted, and 
authenticated, ahead of time and, perhaps, stored in the 
cache, needs to be accessed. The blocks must be 
decrypted serially since it is not possible to begin 
decrypting a block until the previous block has been 
decrypted. 

[01 59] More sophisticated hashing functions such as 
message digest (MD) 5. secure hashing algorithm 
(SHA), and even cipher block chaining could be used. 
DFFH was chosen because it is DES based. It is possi- 
ble to use the same hardware that is doing the decryp- 
tion to" also do the authentication. The inputs to the DES 
engine can be controlled to maximize use of the hard- 
ware.. Although one-way functions are desirable, they 
are not mandatory since, if the authentication algorithm 
uses a secret key, a one-way function is not that much 
better than a reversible! algorithm such as cipher block 
chaining since any one with knowledge of the secret key 
will be able to compute the appropriate authentication 
information to go along with any program information 
that may be provided. Authentication using public key 
cryptography is better because knowledge of the secure 
circuit's private decryption key does not allow a pirate to 
know how to encrypt the hash in the first place. The 
public encryption key must be known. 
[01 60] With either scheme, the bus 115 may be sized 
to have a bandwidth which allows at least two lines of 
instructions, or grouped program information, to be car- 
ried at once. Alternatively, the bus 1 15 may be sized to 
carry one full block (e.g:. eight bytes) of the chain, or 
even two or more full blocks. The bus 115 can also be 
sized to carry one or more entire chains at once. 
[01 61 ] A sequence of blocks which are either authen- 
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ticated^and. optionally, encrypted instructions, e.g., 
blocks B 1( B2, .... B N _-|. or cipher block encrypted, and . 
optionally, authenticated. Encrypted blocks are used 
with cipher block chaining, but are optional with 1 simple 
block . chaining. The authentication information is 5 
included in the communication of theprbgram iriforma- t . 
tion in a block of check bits, e.g.. block B N . 
[0162] The savings in overhead data with cipher block t 
chaining or simple block chaining while maintaining a [ . 
desired security level can be seen as follows. The aver- 16 
age number .of trials to break the authentication is 2 n '\ . 
where the authentication is h bits in length. To provide a 
sufficient level of security, a authentication should 
reflect to some degree the length of the "key or keys \ 
used to encrypt the instructions. Otherwise, the pirates is 
will attack the weakest component of the system, whicrt . 
could be the authentication .information itself. That is. 
instead of trialing the key to discover what key the pro- ' 
gram information was encrypted under, a pirate.can trial 
the authentication information and cause the CPU to 20 
process synthesized program information. If this encryp- 
tion uses a key of at least seven bytes for 'DES. then 
preferably, seven or eight bytes, .should be used for the 
authentication information. For, example, with authenti- 
cation information which is seven bytes in length (e!g., 1 25 
n=56 bits in length). 2 55 trials. are required oii average. ] 
which is similar in difficulty to breaking the DES key* v " * 
[0163] When an eight byte block of authentication 
information is appended to an eight byte message ^ 
block, the overhead of the authentication Information te; 3d' 
50% (e.g., 8/(8+8)). However, .when, block chaining isi\ 
used in accordance with the present invention. 'and a^ \* 
seven - byte block is appended to] a chain of 16, to 32, J^. li 
eight-byte blocks, for example, the overhead as we dis- J ;/ r _ 
cussed above is only about 4.17% with robust siecurity. 35 
Accordingly, block chaining l. provide? la . substantial. ^ 
reduction in authentication information overhead" white . v ' 
maintaining a desired I security leye|. , ^, ^ , ir ^ ; 
[0164] r In afur^erasp^of th>^ 
ordering. of the chain ,whi^ 

externa! storage. device to ^'ASiC' 105is provided. : ; 
This re^ordering is used in addition to the scrambled 
storage of the blocks in the storage device, discussed, 
below, but it is possible to use the re-ordering by itself. 
By randomly re-ordering the blocks in the chain, a pirate 45 
is deterred from detecting information regarding the 
execution sequence of the program information in the 
processing circuit. As with byte- and chain-level re- 
ordering, block re-ordering can be done randomly such 
that repeated execution of the same code will fetch data so 
from the external memory in difference sequences each 
time. For example, with byte level re-ordering, rf there 
are eight bytes per block, there are 81=40,320 different 
sequences in which the bytes may be ordered. Similarly, 
for block reordering, rf there are sixteen blocks per ss 
chain, there are 16!= 2.09x1 0 13 different sequences in 
which the blocks may be ordered. For chain reordering, 
if there are 4 chains per program information sequence, 



there are 4!=24 different sequences in which the chains 
may be ordered. And: it is possible to use all three 
together. The total number of possible permutations 
would then be 40,320 x 2.09x1*0 13 x 24 = 2.02 x 10 19 . 
[0165] It is important to realize that any field can be 
the basis for re-ordering arid that bytes, blocks and 
chains are arbitrary units for bits. The fields being re- 
ordered could be nibbles. Also, bytes do not have to be : 
eight bits, nor blocks 8 bytes, etc. 
[0166] With this in mind, the re-ordering operation 
could allow bytes to be re-ordered across two or more 
blocks, blocks across two or more chains, and chains 
across two or more program information sequences. 
Here, we get a different result. For example, with byte 
level re-ordering, if there are eight bytes per block reor- 
dered over two blocks, there are 16!=2.09 x 10 13 differ- 
ent sequences in which the bytes may beordered. 
[0167] If cipher block chaining is used in conjunction 
with re-ordering, where serial processing of the blocks 
is required, : multiple block buffers are needed to store all 
the related fields prior to diecipherihg! Moreover, as dis- 
cussed further in connection with FIG. 6, if re-ordering : 
occurred across two or rhore chains 1 , then two or more 
chain's worth of block buffers would be heeded: ; Re- 
ordering across prograrri information sequences* would 
require even more blobk buffers. Deciphering may -be 
delayed uritil "the fields^assdciated the last block 
sequence, are read because, when re-ordered inter- 
nally, "the last block read may b6 the first block of the- 
dlairVs^quence:. ' : 1 ' * " 

[01 68] )} With cipher block chaining- security is empha- 
sized! However,; slrriple :; ^dd< r chaining, -as described 
with the><6R hashing furi^ohfn FIG. 3; avoidsiatency: 
problems and can be Aised with fehaih. blod< byte or any 
ffeld r^rtiWing: fr^attie^s : df r the chain.lDlbck; byte or 
field ord'er. 'art Hit trie bytes Tria block are available to per- 
form tKe'auth ; 6nfiration: Additionally, when decryptibriis 
requ f ir^.'ea : Chblbck 

[01 69J Addrdss'tiata provided to the external storage 
device mfiy randomly select fields,' bytes, blocks, or 
chains for communication to the ASIC 1 05. A block reor- 
dering circuit multiplexer 112 may be provided which 
communicates with the bus 1 1 5 to reverse the re-order- 
ing as necessary for the encryption/decryption drcuit 
120 and authentication circuit 125 to perform their func- 
tions. The block reordering circuit multiplexer 112, 
address generator 160, and address scrambler 164 
may communicate with each other, and with the CPU 
170 as required, to coordinate the re-ordering steps. 
The address generator 160 may be responsive to a ran- 
dom number generator 166. The random number gen- 
erator 166 can provide random or pseudo-random 
sequence permutations for the fields of a chain or 
chains which need not conform to any algorithm embod- 
ied in the hardware. 

[0170] Chain, block, byte, and field level sequence 
scrambling is generally applicable to virtually any 
scheme where blocks of date are communicated from a 
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memory, to a secure circuit for processing. As men- 
tioned above, scrambling the order of bytes or sub-fields 
within each block does not affect decryption latency 
since all of the bytes must be assembled before authen- 
tication and decryption can begin. However, the re- 5 
ordering confuses a pirate as to which cipher text corre- 
sponds to which instruction or other data block. It also 
confuses a pirate as to the structure, sequence, and, , 
organization of the program information in the storage V ; 
device. . .10, 

[0171]- In the preferred embodiment, ah entire eight 
byte block is read in by the secure circuit 105, the order 
that the first byte is read relative to other bytes would 
change from block to block, and could change randomly 
each time the storage device is accessed. But when re- is 
arranged within the secure- circuit, there is only one 
proper sequence for a block that must undergo decryp- 
tion. For cipher block chaining, this has the adv^ntagei . : 
of not requiring more than one block buffer, since it has - r 
the bytes of an individual block being, re-ordered, but it " 20 
narrows the obfuscation to an even smaller period of 
time. The external storage device can be rearranged or , 
sorted priorto loading the individual bytes into the block : . 
buffer \ , . , . ; - <: ~ \ 

[0172] In a further aspect oit^ie present invention, the 25 
blocks of a chains are writteaback out into the storage 
device in a new pattern. Each random reading of the, 
storage device is followed by a corresponding writing of 
the data back out in a different random sequence. Assp- 
dated with each chain -is. a memory, device which stores , 36 
the current underlying ordering sequence of trie chain" 
The re-order|pg can be random. : . , , / • 
[0173] ■ , Dummy^ data , may ;jalso be communicated , 
between the storage device 110 and the secure circuit 
105. The dummy data may be [ chaff which js,stored by ,35 
the storage device 110. This is data which never gets, " , 
processed by the secure circuit, but it may be optionally ^ " 
used as filler, and be decrypted and optionally autheriti : " A 
cated by the secure circuit, it is easy to generate chaff. : . 
One simply performs a branching or jump, operation . 40 
immediately preceding the chaff. If no calls, branches, . 
or jumps are ever made to that location where the chaff 
is, then that chaff will never be executed. The dummy 
data may be real program information for other chains 
and instruction sequences that may be accessed at a 45 
later time and under different situations. Like chaff, this 
data may be optionally used as filler, and be decrypted 
and optionally authenticated with the other program 
information. But this data does not get processed by the 
secure circuit. The superfluous data confuses the pirate so 
attempting to analyze the authenticated program infor- 
mation. 

[0174] One of the best ways to communicate dummy 
data is through variable length chains. The actual 
number of blocks communicated could remain the same ss 
while the number of dummy blocks changed. With re- 
ordering of blocks it would be hard for a pirate to deter- 
mine which blocks might be the dummy ones. The 



dummy blocks in the preferred embodiment would actu- 
ally be data which is never processed. 
[0175] The external storage device 110 may be 
encrypted such that the blocks of program information, 
and authentication information are stored in non- 
sequential address location in the storage device. It 
would be preferable to include the high order address 
bits in encryption of the storage device so that any block 
of program information may be located anywhere in the 
memory space Substitution tables (S-tables) can be 
used to eliminate regularity and add non-linearity in the L 
address encryption. 

[0176] Specifically, the authenticated block chained 
external storage device is encrypted so that the execu- 
tion of the cryptographic code can be concealed from a 
pirate who is observing the storage devices accesses 
on the communication path 113. A pirate may be pre- 
vented from learning about the proprietary algorithms 
being;, executed. Encrypting may therefore prevent a 
pirate from ascertaining the contents of the storage 
device.^and frbm systematically attacking the secure cir- 
cuit 105 through other means with the hardware. 
Encryption of the storage device prevents the pirate 
from knowing exactly which encrypted program infor- 
mation is the likely target for attack. By knowing exactly 
which program information could make the system vul- 
nerable to a security breach, the pirate might focus on 
upsetting the processing of that program information. 
[01 77] If address scrambling and data encryption and 
authentication were used alone, e.g.. without data re- 
ordering, only one block buffer is required in a minimal 
implementation. ' * 

[0178] Scrambling can be accbrrplished by using an 
address generator which is associated with the secure 
circuit 105 to provide addressing information to the 
external storage device. A number, possibly a random 
one, may be provided to change the sequence in which 
the .prograrri information is communicated. The 
sequence irifprmatioh is^ used to multiplex the appropri- 
ate fiejfl," byte^pr block" buffer to communicate with the 
appropriate, byte , or block at the right time. Individual 
strings of sub-fields, bytes or blocks of data from the 
external storage device are then transferred to the block 
buffers in a desired sequence according to the address- * 
ing information. The iaddressing information is provided 
to the authentication and deciphering circuits to allow 
these circuits to descranible the data to function accord- 
ingly. 

[0179] Various block encryption algorithms, such as 
triple DES, may be used. Furthermore, the scrambling 
algorithm may use the same substitution box (S-box) 
tables as DES but with fewer rounds. The number of 
rounds may be selectable for different applications, 
such that an application requiring less security uses 
fewer rounds, while one requiring more security might 
use the entire sixteen rounds that DES calls out; Reduc- 
ing the number of rounds reduces the latency of the 
decryption operation. ' 
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[0180] Address-dependent decryption and authenti- 
cation of the program information can prevent a pirate 
from moving otherwise properly encrypted and authen- 
ticated, block chains around in storage device to get the 
decoder to process program information out of 5 
sequence. Such but : of-sequence processing could 
cause the descrambling receiver to improperly grant 
access to and descramble a data transmission. , 
[0181] If possible, the key used for encryption and ' 
decryption and/or authentication should have both to 
address dependent scrambling and unit key depend- ^ 
ence. The unit key is a. key that is unique to each, 
decoder and may "depend on, for example, the decoder 
serial number which is provided at the time of manufac- 
ture, thus, it is desirable for the key to depend on i'ndi- rs ! 
vidual units, or. groups of individual units. Otoerwise, it ' 
may be. possible for. a pirate to read the scrambled key ' 
data in the external, storage device from one unit, and 
then place that same /scrambled, key jnto another unit's * 
external storage device, this might be a way tor a pirate 20 
to done authorization to services between units and . ' 
must be prevented. v . . ' 
[01 82] Address dependent' scrambling and unit key 
dependence also prevents. know! edge of a key used to 
authenticate and^or/scramble a. block of pr6gram infor-" 25 
mation in one decoder to be used in another decoder. . 
For example, without unit dependence, if this secret key ^ 
is discovered through VLSI probing /for'm^ance, then it ' ; 
can be used to correct)y : authenticate/and decrypt pro- J ; 
gram information fbr,other decoders. In other words, if a 3o 
key or keys were useful for more than brie unit, a pirate ^ ; 
might then be able to use the key or keys obtained frorri 
one unit to either encrypt, encrypt and authenticate, or 
authenticate program information for another unit'To 
achieve unit-dependent scrambling, a download proc- 35 
ess using an optional on-chip enciphering circuit jT^ybe 
used to load external flash. EPRQM,, battery^ck^d 
RAM, or mass storage device at unit creation time: 'Tfite J 
enciphering circuit may be the lame one used to a^oW' f ^ 
for bi-directional ! read/write papkbility' bf^^iri '^e '"w 
secure circuit and the storage device. ; Ah ^terrtatiye \ ? 
would be to have these external storage devices loaded 
by the configuration system at unit creation time using ' 
knowledge of the unit's secret or private key "or keys. 
[0183] FIG. 2 is a schematic representation of a cipher 45 
block chaining encryption scheme in accordance with 
the present invention. Blocks of clear text program infor- 
mation are converted to a chain comprising blocks of 
encrypted program information which includes the 
authentication information. In the example shown, each so 
encrypted block of program information depends on the 
clear text program information of the current block as 
well as the clear text program information of a previous 
block. .. - 

[0184] An authentication circuit 203 and an encryption 
circuit 200 are shown. Specifically, the authentication 
circuit 203 includes hashing functions 204, 206 and 208 
and an adder 214. Functions 204, 206 and 208 may use 



the DFFH function discussed above or virtually any 
hashing function. A key is successively hashed at the 
functions 204, 206 and 208 to provide a hash value to 
the adder 214; the adder 214 also receives a zero or 
other value which is known by the hardware to provide 
an output value to the encryption circuit 200, which may 
include a triple DES encrypt function represented by 
encrypt functions 218, 222 and 224. v ^ v 

[0185] * Encrypt function 218 receives a secret key~ 
which is an XOR of low order address bits and a key 
D K6 , while the encrypt function 222 receives a secret 
key which is an XOR of high order address bits and a 
key Dks and the encrypt function 224 receives a secret 
key which is an XOR of a unit key and a key D K6 . An 
adder 226 receives an output from the encrypt function 
224 along with the dear text block A^ and provides the 
cipher text authentication block B^. The adder 226 
essentially hashes the clear text data. - " 
[0186f Clear text blocks A n ,... f J^. Vt which may 
include program* information for descrambling a data 
transmission, are received by the respective triple-key 
encryption fuhctibns, knd are also provided for XORihg 
of the subsequent Cipher text block. For example. -A-j is 1 
processed by encrypt functions 228, 232 and 234, 
which are each responsive to keys as shown. An adder 
236 receives trife outpuf from the encrypt-f unction- 234 
along with an initialization vector (IV) : to provide the 
cipher text block BV ' 1 : - ■ * ^ 
[01871" A 2 is processed 'by encrypt functions 242, 1 244 
and 246, which ar^ each responsive to keys as-shown:^ 
An adder 248 receives the output ; f rdm the ericrypt func- 
tion 246 along with the dear text block Af to provide the ' 
cipher text block B 2 . thus, Bg is a function bf^feoth Aj 
and A^ 'Uk^vise, A N „Y is processed by: encrypt fu*c-' 
tions ; i252i 254 iand 256, r wfiich are ; each- responsive to 
key^a¥ shown. An adder 258 receives the output from 
the encrypt function 256 albng with the clear text block 
A N . 2 "fc ^rbvide the Cipher text block Bn.^ ^ 
[0188] The IV may be zero, or a function of the 
ackdress data or unit key which is provided to the block 
re-ordering circuit 112 or other randomizing function. A 
block size of eight bytes is assumed for this example. 
Moreover, although triple DES is illustrated using three 
different keys for each DES operation, fewer or more 
keys may be used. More keys may be introduced into a 
DES operation by splitting up the rounds to use different 
keys instead of a single key. 

[01 89] Additional keys may be used for the encryption 
functions, and additional and/or alternative encryption 
steps may be taken. Preferably, each of the cipher text 
block encrypt functions use the same encryption algo- 
rithm, although this is not required. 
[0190] The N encrypted blocks. B-i through B N . may 
be provided to a further encrypt function, such as block 
55 re-ordering circuit mux 1 12 of FIG. 1 , which performs a 
block-wise scrambling of the N blocks according to an 
address data signal. For example, with N=8 blocks, the 
blocks may be stored in sequential addresses of the 
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external storage device 1 10 in the order: B 1f B 3 , B 2 , B 5 , 
B 4 , B 6 , B 8 , B 7 . The blocks are said to be stored in a ran- 
dom or non-sequential manner since they are not stored 
in successive addresses of the storage device. 
[0191] With the temporal re-ordering scheme dis- s 
cussed above, the blocks may subsequently be trans- 
mitted to the block buffers in another sequence, for 
example, B 5 , B 3 , B 2 , B 6 . B 4 ,.B 7 . B 8 , B A , which differs 
from both the order that the blocks were provided to the 
re-ordering circuit 1 12 as well as the storage sequence. . io 
[0192] The authentication and encryption functions 
and associated elements need not be collocated with 
the external storage device 1 10. That is, the encryption 
circuit 200 may be located at a cable television system , 
headend, or a satellite uplink, while the storage device is 
is part of a descrambling receiver in a consumer's 
home. The authenticated and/or encrypted program 
information can be provided to the memory 1 i 0 via any 
convenient channel, for example, such as via. a tele- 
phone, satellite, cable television link, jor computer net so 
work. The authenticated 4 and/or encrypted program 
information may also be installed locally via a smart 
card, or the storage device 11 0 itself may be pre-loaded , 
with the encrypted program information prior to the . [ 
installation, and initialization in the, d^crambling 25 
receiver. ...... ^ 

[0193] .Referring again to! the descrambling receiver 
1 00 of F t IG. 1 . address data used fay the address .scram- 
bler 164 can be stored.iri an address generator 160 of 
the ASIC 105. The address, data is provided to the ; 30 
external. memory. 1 10 via a path 165: so that the scram-' ; 
bled blocks of encr.ypted instructipns'can be read otrt jn : 
a desired sequence (e.g!, By B 2 , B N ).. In particular, 
blocks.which comprise a chain may be read out^non- 
sequentially from the memory 11 piq provide the blocks^ 35 
in the unscrambled sequence via jine 113. Optionally, * 
the blocks may beiransmitted from the external storage ~ 
device 110, to the secure circuit 105, in the scrambled " * J 
or random time sequence and descrambled at the ASIC " 
105 using the block reordering circuit multiplexer 112:';' 40 
The address data may also be used by the external stor-' * 
age device 110, to transmit different block chains in a' ~ 
scrambled (e.g. i non-sequential order) manner. 
[0194] The address data and the encrypted blocks B-, 
through B N of successive cipher block chainis are pro- 45 
vided to an encryption/decryption circuit 120 and 
authentication circuit 125 of the ASIC 105. The encryp- 
tion/decryption circuit 120 uses the address data to 
unscramble the . cipher block chain sequence as 
required. Re-ordering may also occur at the block reor- so 
dering circuit multiplexer 112. The encryption/decryp- 
tion circuit 120 also receives the secret decryption key 
from a decryption key memory 150 of the ASIC 105, 
and performs a decryption algorithm which is the 
inverse of that used to provide the encrypted blocks, ss 
The decryption process is discussed immediately below 
and also in connection with FIG.. 3. . 
[0195] With the block chaining "scheme, the blocks B-| 



through B N of each chain must be decrypted in succes- 
sion. That is, B 1 is first decrypted, then the result is used 
in decrypting B 2 , and so on. Once blocks B^ through B N _ 
! have been decrypted, the authentication block, B N , 
can be decrypted, and the authentication information 
(e.g., checksum or hash) can be calculated by the 
authentication circuit 125 to authenticate the chain. The 
correct authentication information may be pre-stored 
within the authentication circuit 125 and compared to 
the calculated authentication information to provide the 
necessary verification. Finally, lines of clear text (e.g., 
decrypted)' program information are obtained and pro- 
vided to the cache 140. , 

[0196] For secure communication between an exter- 
nal storage device 110, and the secure circuit 105, the 
outgoing program information from the secure circuit to 
the storage device must also be authenticated and/or 
encrypted. Thus, to change a byte or string of data in 
the external storage device' 110. the entire block and 
block chain must be read into the ASIC, the change 
made, and then the proper authentication information 
may be calculated. After the authentication information 
is calculated/ the newly encrypted block information and 
changed authentication information are written out, for 
example, using simple block chaining. The program 
information may be written back to the storage device in. 
a different underlying sequence than it was fetched, 
[0197] - The Unmodified blocks do not need to be writ- 
ten out unless the'location in the storage has changed. 
With cipher block chaining, changing one block of data 
can change -subsequent blocks in a chain: Those 
affected blocks would need to be written out as well. 
[0198] There are instances when the secure circuit 
needs to communicate to the outside world in a clear 
mode, e.g., for printers, error messages, display pur- 
poses, and the like.. Therefore, the encryption/decryp- 
tion circuit: 120 -and/or verification/authentication circuit 
125 should have a disable mode whereby program 
informatioh^'may be communicated and conditionally 
bypassed. In b'uch a mode; program information may 
not be communicated in either a block or a chain since* 
there would not be a requirement for either encryption 
or authentication. Such a mode may also be~ useful for 
debug and testing of the system. 
[0199] Different chain lengths may be used for com- 
municating different types of program information from 
the storage device. Program information requiring less 
latency can have smaller chain lengths. Program infor- 
mation that can tolerate more latency can have longer 
chain length, thereby saving on the storage of the corre- 
sponding authentication information. Thus, the length of 
each chain can be set according to the processing 
latency of the program information of the respective 
chains. 

[0200] For example, it may be possible to have only 
two blocks of program information in the chain, one for 
the data and one for the authentication information. 
Although an entire chain of program information must 
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be fetched and.decrypted first to change even a single 
byte, a change in data does not have to be written out to 
the external storage device immediately. Data may' be 
stored internally, such as in the cache 140, until such 
time that the external storage device needs. to be 5 . 
updated. At that time, .the ASIC must write the entire 
chain with the modif ication back out to the external stor- . 
age device. , ^ ' . , . t - - 

[0201] Referring again to the encryption/decryption- r . 
circuit 120, the decrypted program information s pro-,. .re? 
vided to a cache 140 for temporary storage, and to a . 
CPU 170 for execution. The program information may: 
be used to decode a scrambled data transmission using, , 
additional processing hardware or software and steps : ,, 
which are notshown, but which are well t known in the ... .is 

art. ' -:<■•■;-• ■ • : ..t : ' v* ~. .> 

[0202] The cache 1 40 is a RAM whichprovides a buffr . ./ 
ering capability with a relatively high-speed access, and .. 
may be sized to store a substantial amount of data;, The 
cache 140 may store thousands, of bytes, .which cprre- . 20. 
sponds to. the size of the instructions and operation data 
of many block chains. The CPU may execute program 
information from ;a first cipher block chain while the .. „ 2 
encryption/decryption circuit 1 20 is decrypting blocks . 
from a second, subsequent cipher block chain, the sec- 25 
ond chain may follow the first chain directjy. or rnay be . 
separated from the f irst chajn by.one pr^mpr^lntermediT : . 
ate chains. Thus, system throughput maybe impcoyed , i % 
due to the overlapping activity ;of the authentication .cj? . , , . 
cuit, deciphering circuit and : the. CPU Gf neraliy, '..30 
although the execution timeof Jthe.program inforrriatipn. 
in the CPU will typically be faster than tr^e. decryption y ; 
time in the^encryption/decryptipn -circuit 120, efficien- 
cies can be achieved by coordinating the.deciphering 
and execution activities, and optimizing .the numtjejr oKis 
rounds used in the encryption/decryption 1 .^IgQfjth?!:; :r rto... 
[0203] Additional eff idencies may be realized by .wr^t- ^ ] 
ing the program information, e.g, t inductions, ^ which.^ri otr , t 
executed by the CPU vto- conform, tojhe b!c^ ^^r^^ 
transfer scheme.rln-particulaf^.tfie amount .of pr^aw^fb 
information? inclines oMhe instructions. can i_conft»;rn.tp p .. 
the Wockjsize and. the number of blocks.in a chain. Fqr 
example, lines of instructions should be carried in. full in 
a block chain rather than being split into two chains to 
avoid waiting for a second block chain to be decoded to 45 
recover the remainder of a line. An instruction is typi- 
cally only a few bytes long (e.g., 1^4 bytes), so a chain 
of blocks will typically include several instructions. 
[0204] The cache 140 can optionally receive a signal 
from the address generator 160 to coordinate the stor- so 
ing and transferring of program information to the CPU 
170. For example, the signal may inform the cache 140 
that additional block chains are being sent to the buffers, 
authentication circuit 1 25 and encryption/decryption cir- 
cuit 120, so that additional executable program informa- ss 
tion will be received by the cache 1 40. 
[0205] One or more registers 180 may be provided 
which interface with the cache 140 and CPU 170. Also, 



a small internal ROM can be used to store boot-up or 
other program information which may be required in the 
ASIC 105. 

[0206] FIG. 3 is a schematic representation of a cipher 
block chaining decryption scheme in accordance with 
the present invention. The scheme shown is the coun- 
terpart^ the encryption scheme of FIG. 2. Re-ordering 
is performed when required to obtain the fields in the < 
desired sequence for decrypting. An authentication cir- 
cuit 303 and decryption circuit 300 are provided. At the 

decryption circuit, each of the cipher text blocks B 1 - 

B N are decrypted. 

[0207] First the respective cipher texf blocks are 
XORed, with the prior decrypted clear text block' or an 
initialization vector. Specifically. B 1 and the IV used dur- 
ing encryption are received at an adder 320 to provide 
an output to a triple DES decryption function, including 
decrypt functions 322, 324 and 326. The clear text block 
At is putpirffripm decrypt function 326 and provided to 
ah adder 336 and a^hash function 304.' At the'hash'fiinc- 
tion 304, At and a key are hashed to provide an output 
to successive hasfi functions 306 and 308,' ahd an 

addend.; ' \ \' ]''*'" / \ " \ .? 

[0208] The adder 330 receives A-,' and B2 to provide 
an output to decrypt functions 332, 334 and 336 to pro- 1 
vide the clear, text block A 2 . .Similarly, an adder 340 
receives Snd^B N .^to provide an output to decrypt : 
functipns^^^ the dear text 

block AN r1: adder 35o; rfeCeivW trie authentication ; 
Wock° r B N as well as A^ tb provide a value to decrypt 
functiprjs 352, 354.4n& 356. .TOeroutput of decrypt func- 
tion 356 js -prtyjded toVn* v ad^\310 r ''alonjg with a'hjash; 
v^ue Vrom hash' function 308 tor produce an i dutput 'of 
either onepr zera If ;tHe;dutput is zero, then the authen- 
tication Lvalu r e is valid sihee' it matches the hash value, 
and ap|enat)le signal is set' to kllow processing to con- 
tinue^ririowever, if the output of the aidder;3l6 is one. 
then the authentication value is npt valid, and an alarm 
state.may be initiated at the aterm circuit 162 to provide 
a kill ~(erase) signal for partial or full erasure of the con- 
tents of the key Storage device 150. ! 
[0209] When block re-ordering is used/ a pirate 
attempting to trial program information and the authen- 
tication information value will likely create invalid op- 
codes. Invalid op-codes are hex data instructions for 
which there is no corresponding action. Various options 
exist for handling an authentication value or op-code 
that does not check out. One possibility is to perform a 
reset of the secure circuit, which would require the 
pirate to reconfigure and re-initialize the ASIC for 
another attack. 

[021 0] Another possibility is to cause the processor in 
the ASIC to jump to an infinite "no operation" (NOP) 
loop. This is a state where the ASIC performs no sub- 
stantial operation, requiring the pirate to first detect the 
NOP operation, then force a reset himself , and reconfig- 
ure, and re-initialize the ASIC for another attack. Or, the 
number of mismatches between the pre-stored value 
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and the decrypted value may be counted such that one 
or all of the stored keys are erased when a threshold 
number of mismatches are detected. These keys could 
be sensitive keys whereby knowledge in the outside 
world could pose a major security breach. Their erasure 
would cause a permanent malfunction of an otherwise 
good unit. 

[021 1 ] Another possible countermeasure is to erase a 
temporary key, such as one of the delivered keys, rather 
than a key which is loaded at unit initialization, or crea- 
tion time. This forces the pirate to contact the network 
service provider for re-authorization, thereby potentially 
exposing the pirate. In the. preferred embodiment 
emphasizing security, all of the keys would be erased. 
[0212] FIG. 4 is a schematic representation of a sim- 
ple block chaining encryption scheme in accordance 
with the present invention. As discussed above, this 
configuration, can avoid, latency prob) ems which are 
characteristic of the cipher block chaining technique of; 
FIGs 2 and 3. Encryption of all clear text blocks may be 
carried out independently and substantially in parallel. 
Encryption and decryption of the authentication infor- 
mation depends on the clear text blocks. The simple 
block encryption technique may have great er suscepti- 
bility to some trialing attacks by pirates, however, since 
the modification of a block will not affect other blocks, 
other than the authentication information, 
[0213] An authentication circuit 403 and encryption 
circuit 400 are provided. Blocks of clear text program 
information A 1p A 2 , A N are processed to provide cor- 
responding, blocks of cipher text, B 1( B2, B N , respec- 
tively. . One pf . the cipher text blocks, designated 
generically as Bp is an authentication block, and can 
assume any . position among the other cipher text blocks 
(e.g.; 1<i<N). 

[0214] " At the encryption circuit 400^ block A<, is 
encrypted at a function 402 to provide block B'i , block A 2 
is encrypted at a function 404 to provide block B2, block 
Am.-j is encrypted at a function 408 to pirovide block B N . 
1( and block An is encrypted at a function 410 to provide 
block B N . Additionally, each of the clear text blocks is 
provide to an adder 412 in the authentication circuit 403 
to provide a value to an encrypt function 406 to produce 
a cipher text authentication block, Bj. Bj can be the first 
block B n , the last block B N , or any block in between: The 
adder 412 also receives a zero or other value which is 
known by the hardware. 

[0215] Each of the encrypt functions for the non- 
authentication blocks, e.g., functions 402, 404, 408 and 
410, may operate under the same key K 1( which is 
obtained by XORing a unit key, high order address bits, 
a secret key D K1 and low order address bits. The 
encryption function for the authentication block, e.g., 
function 406 may operate under a different key. K 2 , 
which is obtained using a secret key Dk2- The 
encrypted blocks can be provided to the block re-order- 
ing circuit, as discussed previously. 
[0216] In accordance with the present invention, 



authentication information is derived from the clear text 
blocks by providing an adder 412 which takes the XOR 

of the clear text blocks A 1p A 2 An and, optionally, a 

pre-stored value. The output of the adder 412 is subse- 

5 quently encrypted at the function 406 to provide the 
encrypted authentication block Bj. Virtually any hash 
function may be used instead of, or in addition to, the- 
adder 412. Moreover, it is riot necessary for each clear 
' text block to be input to the adder 412. 

10 [0217]' FIG. 5 is a schematic representation of a sim- 
ple block chaining decryption scheme in accordance 
with the present invention. The decryptor is the ;x>unter- 
part of the encryptor of FIG. 4. Re-ordering is performed 

' ' when required to obtain the blocks in the desired 

is sequence for decrypting. 

[021 8] 'A decryption circuit 500 and authentication cir- 
cuit 503 are provided: Decrypt functions 502, 504, 508 
and 510 use a key K j as shown to decrypt cipher text 
blocks B-j, B2, Bisj.i and B N , respectively, to provide the 

20 clear text blocks A-, , A 2 , An--i and An- The cipher text 
authentication block Bj is decrypted at a function 506 
using a different key. The outputs from each of the 
decrypt functions is provided to an adder 51 2 to provide 
a hash value which, in turn, is summed at an adder 514 

25 with a pre-stored hardware valu6. 

[0219] If the output of the adder 514 is zero, then the 
hash value and hardware value are the same, and the 
authentication data is verified, and subsequent process- 
ing is enabled. However, if trie output of the adder 51 4 is 

30 one, then the hash value and hardware value are differ- 
ent, and the kuthentication data is not verified, so an 
alarm state is set. 

[0220] FIG. 6 is a schematic diagram of an alternative 
cryptographic key generator/descrambling receiver 

35 apparatus in accordance with the present invention. 
Uke-riumbered elements correspond to the elements of 
FIG. 1. The receiver, shown generally at 600, includes 
chain block buffers 130, 132 and 134 which are used for 
the first, secohd and Nth blocks, respectively, of a first 

40 chairi/arid block buffers 630, 632 and 634 which are 
used for the first, sedond and Mth blocks, respectively, 
of a second chain. With this scheme, two or more blocks 
(one from each chain) can be communicated over line 
1 13 at the same time. Moreover, additional block buffers 

45 may be provided to store data from more than two 
chains. Each chain can have the same or different 
lengths. 

[0221] The encryption/decryption circuit 120 and 
authentication circuit 125 process chain 1, while the 

50 encryption/decryption circuit 620 and authentication cir- 
cuit 625 process chain 2. The data from the key storage 
device 150 may be provided to the circuits 120. 125, 
620 and 625 as required for each of the chains. Moreo- 
ver, although shown as separate elements, the authen- 

55 tication circuit 1 25 and encryption/decryption circuit 1 20 
may share common circuitry with the authentication cir- 
cuit 625 and encryption/decryption circuit 620. 
[0222] The embodiment of FIG. 6 allows for re-order- 
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ing across two or more chains when cipher block chain- 
ing is used. As discussed, when cipher block chaining is . 
used, each block in a chain must be temporarily stored 
to recover the authentication block. The receiver 600 
can therefore provide parallel processing of two bf more 5 . 
cipher block chains, chain-wise re-ordering, or block- 
wise re-ordering across two or more chains. . 
[0223] Accordingly, it can be seen that the present 
invention provides an apparatus for descrambling a, 
scrambled data, transmission by transferring authenti- 16, 
cated and, optionally, . encrypted program information , 
from an external storage device to a secure circuit in. a 
simple block chain. Encrypted and optionally authenti- . 
cated program information is also transferred from the . 
external storage device to the secure circuit in, trie *5. 
cipher block chain. .The. scheme allows upgrades and- 
other changes to descrambling' instructions .to be^ easily. I , 
made without modifying the secure circuit. , 7. - 
[0224] Additionally! the use of block chaining improves " f 
system throughput arid red uces t system cost by reduc- . 20 
ing authentication information overhead, (further, effi- 
ciencies are obtained by providing a cache.to transfer 
two or more lines of decrypted or authenticated program; 
information to the CPU in a single dock cycle, and by' 
managing the timing of block deciphering with the ; trans- 25. 
ferof.decrypted data to the cache and the CPU. ^ , ./.\V 
[0225] An alternative embodiment of the inyentiph 7 
uses simple block encryption instead of . cipher block . 
chaining. -With this scheme, the blocks of the chain. are , ; 
authenticated by using a large authentication field as '30 
with the cipher block chaining. However, the chain of .7 
blocks may be decrypted and authenticated substah-, v 7. 
tially in parallel rather than serially., . _ , " 

[0226] Re-ordering of the block chain using any. field 
such as byte, block, and/or chain level is also provided, 35 
in addition to scrambled address storage at the external r . 
storage device. ; . 1 - 1 r; r j * ::-:>: 

[0227] Additionally, a bi-directional cap^jlrty may be^ t -> f 
provided to a! low program information to, be transfeired^ J,. . 
from the secure rircuittq thq"ecterr)al' storage device.,. .40 
The program-information need not be encrypted but 7 
only authenticated for security. , . ~ . i V 

[0228] • Although the invention has been described in 
connection with various specific embodiments, those 
skilled in the art will appreciate that numerous adapta- 45 
tions and modifications may be made thereto without 
departing from the spirit and scope of the invention as 
set forth in the claims. 

[0229] For example, the invention is particularly suita- 
ble for deterring the copying and reverse engineering of so 
proprietary software algorithms, and for securing cryp- 
tographic applications such as the descrambling of data 
transmissions such pay-TV programs to prevent unau- 
thorized users from receiving television broadcasts. The 
invention is equally useful in other applications, includ- ss 
ing terminals and smart cards for electronic funds trans- 
actions, premises access control, electronic games, 
commodities and stock data used by traders, data which 



is transferred via the Internet or other computer net- 
works, and so forth. - 

[0230] Moreover, the invention is compatible with 
alternative encryption schemes such, as a stream 
cipher, or a combination of both a stream cipher and 
cipher block chaining such as the Common Scrambling 
Algorithm (CSA). 

[0231 ] Another such scheme is public key encryption. 
Because each block and chain is relatively small com- 
pared to the modulus "sizes of say the RSA Public Key 
system which can 1 have sizes of 2048 bits (i256 eight bit 
bytes),it is possible to use RSA to encrypt one or'more 
program information chains: If the RSA public key sys : 
tern were used, then it may be preferable to use an 
unbalanced, exponent pair whereby the decryption pri- 
vate exponent was small, for example, equal to three. 
That would lower program information latency. After 
decryption; the authentication information could" be 
checked as'7 in the ; block encryption techniques 
describedabbve and decrypted and checked; or simply 
checked. This makes it ' difficult to set the decrypted 
authentication yilue, Ancl, ias mentioned above, a com- 
bination of a secrefkey and a public key can be used. 

Claims \\ ' 

1. An apparatus for processing program information, 

cpn^risihg: . ; . ~ \'7 . ' ' 7 

u "a secure dfcuit including a central processing 
" unit (CPU) and at least one block buffer for s\6r-\ 
~ ing at least one blbdk of the program inforrna : 

•* tion; . . 7, f - . ^ 7< 

an external storage device which is adapted to 
. store the program information external to said 

.secure circuit; 
.7 ' a first .communication, path* which isi adapted to 
7, communicate a group of blocks of said program 
\ informatiph from said external storage device 
'. '[ to said at least one block buffer ih a first block 
~ . chain; and . 

a second * communication path which is 
adapted to communicate the program informa- 
tion from the at least one block buffer to the 
CPU for processing therein. 

2. The apparatus of claim 1, wherein: said secure cir- 
cuit comprises an authentication circuit for authen- 
ticating said program information. 

3. The apparatus of claim 2, wherein: said block chain 
is a simple block chain such that said group of 
blocks in said first block chain are processed sub- 
stantially in parallel by said authentication circuit. 

4. The apparatus of claim 2 or 3, wherein: 

said first block chain and a subsequent second 
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block chain of said program information are 
communicated between the external storage 
device and said at least one block buffer; and 
said authentication circuit is adapted to authen- 
ticate at least a portion of the program informa- 
tion of said first block chain while at least a 
portion of said second block chain is being 
communicated over said first communication 
path. 

5. The apparatus of one of claims 2 to 4, wherein: 



10 



20 



25 



30 



said first communication path is adapted to 
communicate blocks of program information 
from said storage device to said at least one is 
buffer in a second chain; and 
said authentication circuit is adapted to authen- 
ticate program information from at least k por- 
tion of said first block chain and at least a 
. portion of said second chain substantially con- 
currently. 

6. The apparatus of one of claims 2 to 5, further com- 
prising: .. . . , 

a cache arranged in said second communica- 
tion path whichls ad^ted. to temporarily store, 
the authenticated program information before 
the authenticated program information is pro- 
vided to said CF>U. " ; . „ 

7. The apparatus of one of the preceding claims, fur- 
ther comjDrisirig:. '" /„ v . . . ^ ' 

means for detecting an illegal operational code 35 
in the program information. - 

8. The apparatus of one of the preceding claims, 
wherein: 

..- .\ 40 

at least part of said program information is 
hashed to provide said block chain. 

9. The apparatus of one of the preceding claims, fur- 
ther comprising: 45 



address generating means for providing 
addressing information to the external storage 
device for communicating said blocks of pro- 
gram information from the external storage 
device to said at least one block buffer in a 
desired sequence. 



50 



10. The apparatus of one of the preceding claims, 
wherein said program information comprises a plu- 
rality of strings which are to be processed in suc- 
cession by said CPU. 



55 



11. The apparatus of one of the preceding claims, 
wherein: 

said blocks of program information are stored 
in the external storage device in scrambled 
storage locations. 

12. TTie apparatus of one of the preceding claims/ 
wherein: 

chains of said program information with sub- 
. stantially randomly, varying lengths are commu- 
,nicafed,frbm the external storage device to said 
at least one block buffer. 

13. The apparatus of claim 12, further comprising: 

. address generating means for providing 
addressing information to the external storage 
device for communicating said blocks of pro- 
gram information from the external storage 
device to said at t least one block buffer in a 
desired sequence; wherein: 
the substantially randomly varying lengths are 
determined according to said addressing infor- 
mation. 

14. The apparatus of one of the preceding claims, fur- 
ther comprising: \ ' ' 

means, for providing, a substantially random 
block-wise reordering of said first block chain, 
and substantially random re-ordering of a block 
of said first block chain to communicate a re- 
ordered chain from the external storage device 
ftp. said at least.one block buffer, 

15. The apparatus of one, of the preceding claims, 
wherein; , , 

. units of said program information are communi- 
cated from the external storage device.to said 
at least one block buffer using substantially 
randomly varying sequences. 

16. The apparatus of claim 15, wherein said units of 
program information comprise block chains. 

17. The apparatus of one of the preceding claims, 
wherein: 

a plurality of program information is communi- 
cated from the external storage device to said 
secure circuit in units of varying length: and 
the length of each unit is determined according 
to a processing latency of the associated pro- 
gram information of the respective units. 
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18. The apparatus of one of the preceding claims, 
wherein: 

said program information comprises dummy 
data which is not processed by the CPU. s 

19. The apparatus of one of the preceding claims, 
wherein: ' '[ \ ' 

said program information stored in the external 10 
storage device is encrypted; . 
said secure circuit comprises a decryption cir- 
cuit which is responsive to said at least one 
block buffer for decrypting the ehcryprted* pro- 
gram information; and. is 
said second communication path is adapted to 
communicate the decrypted program informa- 
tion from the decryption circuit to thVCPU for 
processing therein. 

20. The apparatus of claim 19, Wherein: said first block 
chain arid a subsequent second block chain of said 
program information are communicated, between 
the external storage device and said : at least one 
block buffer; and 

said decryption circuit is adapted to decrypt at. 
least a portion of the program information of 
said first block chain white at least a portion of ; 
said second block chain is being communi- 
cated oyer said first communication path. 

21. The apparatus of claim 19 or 20, whereirt:' 

said lir st communication path is adapted to 
communicate blocks of ' program information 
from said storage device to said at least one. 
buffer in a second chain; and * *' 5 * 1 1 \ 
said decryption circuit is adapted to clecrypt 
program information from at least a portion of 
said 'first biock chain 'and at least apportion of 
said second chain substantially concurrently. 

22. The apparatus of one of claims 19 to 'St. further 
comprising: . 

a cache arranged in said second communica- 
tion path which is adapted to temporarily store 
the decrypted program information before the 
decrypted program information is provided to so 
said CPU. 

23. The apparatus of one of claims 19 to 22, wherein: 

said first block chain is a cipher block chain. ss 

24. The apparatus of one of the preceding claims, fur- 
ther comprising: 
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a communication path' 'which is adapted to 
* communicate, a group of blocks of program 
information from said secure circuit to said 
external storage device in a second block 
chain. 

25. The apparatus of claim 24, further comprising: 

an encryption circuit for encrypting the program 
information for the second block chain. 

26. The apparatus of claim 25, wherein said encryption 
circuit is conditionally responsive to address infor- 
mation to allow a clear mode for the program infor- 
mation for the second block chain. r ]' 

27. The apparatus of one of claims 24 to 26. further 
comprising: ' ' . ..'•.! 

an authentication circuit for authenticating the 
program information for the second block 
chain. . . 

28. The apparatus of claim 27. wherein said authenti- 
cation circuit is conditionally responsive to address 
informatjbh toallovv a* dear mode for the program 

informaLtioh for th£ defend blo^' chain. ' 

.*." " '{--O sv ' zTr.tvi; ays 1 .:.. t . . ■ • ~ - . •-. 

29. The aibpk'rafai of r on^ of claims' i24 to 28, further 
comprising: 

" * a re-sfequehcirig circuit for randomly 1 ; recorder- . 
ing the program information for the 3 s£cbrid ' 
block chain. 

30. The apparatus of on£* df 'claims 24 to 29, further 
comprising: 

a length determination circuit for randomly var- 
ying the length of units of the program informa- 
tion fbr the second block chain. 

31. The apparatus of one of claims 24 to 30, further 
comprising: 

a dummy-data insertion circuit for adding 
dummy-data to the program information for the 
second block chain. 

32. The apparatus of one of the preceding claims, 
wherein a plurality of chains of program information 
are communicated from the external storage device 
to said secure circuit in a substantially randomly 
varying sequence. 

33. An apparatus for communicating program informa- 
tion, comprising: 
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a secure circuit for providing said program 
information; 

an external storage device which is adapted to 
store the program information external to said 
secure circuit; and 

a first communication path which is adapted to 
communicate a group of blocks of said program 
information from said secure circuit to the 
external storage device in a first block chain. 

34. The apparatus of claim 33, wherein: 

said program information comprises authenti- 
cation data; and 

said secure circuit comprises an authentication 
circuit for providing said authentication data. 

35. The apparatus of claim 34, wherein: 

said block chain is a simple block chain such 
that said group of blocks in said first block chain 
are processed substantially in parallel by said 
authentication circuit to provide said authenti- 
cation data. 

36. The apparatus of claim 34 or 35, wherein: 

said authentication circuit hashes at least part 
of the program information to provide said 
authentication data. 

37. The apparatus of one of claims 33 to 36, further 
comprising: 

address generating means for providing 
addressing information to the external storage 
device for communicating said blocks of pro- 
gram information from said secure circuit to the 
external storage device in a desired sequence. 

38. The apparatus of one of claims 33 to 37, wherein: 

said blocks of program information are stored 
in the external storage device in scrambled 
storage locations. 

39. The apparatus of one of claims 33 to 38, wherein: 

units of said program information with substan- 
tially randomly varying lengths are communi- 
cated from said secure circuit to the external 
storage device. 

40. The apparatus of one of claims 33 to 39, wherein a 
plurality of chains of program information are com- 
municated from said secure circuit to the external 
storage device in a substantially randomly varying 
sequence. 



41. The apparatus of one of claims 33 to 40, further 
comprising: 

means for providing at least one of (a) substan- 
s tially random block-wise reordering of said f irst 

block chain, and (b) substantially random re- 
ordering of a block of said first block chain to 
communicate a re-ordered chain from said 
, secure circuit to the external storage device. 

42. The apparatus of one of claims 33 to 41 , wherein: 

units of said program information are communi- 
cated ffom said secure circuit to the external 
is storage device using substantially randomly 

varying sequences. 

43. The apparatus of one of claims 33 to 42, wherein: 

20 units of said program information are communi- 

cated from said secure circuit to the external 
storage device using substantially randomly 
varying lengths. , 

25 44. The apparatus of one of claims 33 to 43, wherein: 

said^ program information comprises dummy 

data which was not processed by the CPU. 

j . *.' , .."■*'. 

30 45. The apparatus of one of claims 33 to 44, wherein 
said program information is provided in block 
chains. 

46. The apparatus of one of claims 33 to 45, wherein: 

35 

said secure circuit comprises an encryption cir- 
cuit for encrypting said program information; 
and said first communication path is adapted to 
communicate the encrypted program informa- 
40 tion from the encryption circuit to the external 

storage device. 

47. The apparatus of claim 46. wherein: 

45 said block chain is a cipher block chain. 

48. The apparatus of one of claims 33 to 47, further 
comprising: 

so a communication path which is adapted to 

communicate a group of blocks of program 
information from said external storage device 
to said secure circuit in a second block chain. 

55 49. The apparatus of claim 48. wherein the program 
information stored in said external storage device is 
encrypted, said secure circuit further comprising: 
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a decryption circuit for decrypting the 
encrypted program information in the second 
block chain. 

50. An apparatus for processing encrypted ' program 5 
information, comprising: 

a secure circuit including at least, one of 
encryption and decryption circuits/ a central 
processing unit (CPU), and at least one block 10 
buffer for storing at least one block of program 
information; _ . . 

an external storage device which is adapted to 
store the program information external to said 
secure circuit; ' 75 

a first communication path which is adapted to 
communicate a group of blocks of said program . f . 
information between said' external storage 
device, and said at least one block buffer in a 
first cipher block chain;, 1 , .* \ ,^ , 20 
said at least one of said encryption ahddecfyp- 
tion circuits being responsive to said at Feast 
one block buffer for respectively encrypting or 
.decrypting said . program information; and . _ , 
a second communication' path which is' 25 
adapted to communicate the program informa- 
tion between . said at least one of. decryption 
and encryption circuits and said CPU.' 
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